Technical Note: Using cURL to verify SSL/TLS protocols and cipher suites accepted by FortiGate

Description

Scope

Solution

1. Download and install a pre-compiled version of cURL for the operating system. A popular version for Windows is called 'cURL for Windows'. Alternatively, compile cURL manually.
   
2. Determine the IP address and port number to which a connection is to be made. This can be the IP and port number of the FortiGate management address, SSL VPN, or a server behind the FortiGate.
   
3. Determine the version of TLS/SSL to be tested, as well as what ciphers.
4. Test with cURL using the parameters determined above.
   
   

Example 1: Testing the FortiGate SSL VPN interface for SSLv3 (any cipher suite):

curl https://10.0.0.5:10443 -k -v --location-trusted --sslv3
…
[output removed]
…
alert handshake failure (connection is NOT accepted)

Example 2: Testing the FortiGate management interface for TLSv1.2 using the 3DES bulk cipher/encryption algorithm:

curl https://10.0.0.1:443 -k -v --location-trusted --tlsv1.2 --ciphers 3DES
…
[output removed]
…
* Connection #0 to host 10.0.0.1 left intact (connection is accepted)

Example 3: Testing FortiGate SSLVPN for TLSv1.2 using the cipher suite AECDH-AES128-SHA.

curl https:// 10.0.0.5:10443 -k -v --location-trusted --tlsv1.2 --ciphers AECDH-AES128-SHA
…
[output removed]
…
* Connection #0 to host 10.0.0.1 left intact (connection is accepted)

Note that cURL uses OpenSSL. It therefore requires their terminology when selecting cipher suites for testing. AECDH-AES128-SHA is the OpenSSL terminology for the RFC name TLS_ECDH_anon_WITH_AES_128_CBC_SHA.

More details on the cipher suite are available at Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.

Related article:

Technical Tip: How to verify if a web page is cache-able using cURL