AWS network-firewall documentation change
Summary
Updated guidance for handling TLS 1.3 Encrypted SNI/Client Hello traffic
Security assessment
Provides updated security configuration guidance for excluding unsupported TLS 1.3 features from inspection scope, helping users avoid connection issues. While security-related, it documents existing limitations rather than addressing a specific vulnerability.
Diff
diff --git a/network-firewall/latest/developerguide/tls-inspection-considerations.md b/network-firewall/latest/developerguide/tls-inspection-considerations.md index 8cd58ee35..29600b81c 100644 --- a//network-firewall/latest/developerguide/tls-inspection-considerations.md +++ b//network-firewall/latest/developerguide/tls-inspection-considerations.md @@ -89 +89 @@ The following limitations apply to TLS inspection configurations: - * Traffic encrypted using TLS v1.3 Encrypted SNI and Encrypted Client Hello extensions aren't supported. When Network Firewall can't find an SNI in the client hello, the service closes the connection with a `RST` packet. If this is an issue for your workloads, you can use standard stateless rules to bypass TLS decryption. + * Traffic encrypted using TLS v1.3 Encrypted SNI and Encrypted Client Hello extensions aren't supported. When Network Firewall can't find an SNI in the client hello, the service closes the connection with a `RST` packet. If this is an issue for your workloads, you can configure your TLS inspection configuration scope to exclude the workloads using TLS v1.3.