Technical Tip: How to disable 3DES for SSL VPN

Description

This article provides the CLI configuration to disable 3DES for SSL VPN.  FortiOS versions prior to 5.4 did not allow administrators to disable specific ciphers, such as 3DES. 3DES is vulnerable to birthday attacks (CVE-2016-2183).

Scope

Ability to disable specific ciphers for SSL-VPN was added as of FortiOS 5.4.

Solution

The following CLI commands allow disabling 3DES for SSL VPN:

RSA         Ban the use of cipher suites using RSA key.

DH          Ban the use of cipher suites using DH.

DHE         Ban the use of cipher suites using authenticated ephemeral DH key agreement.

ECDH        Ban the use of cipher suites using ECDH key exchange.

ECDHE       Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.

DSS         Ban the use of cipher suites using DSS authentication.

ECDSA       Ban the use of cipher suites using ECDSA authentication.

AES         Ban the use of cipher suites using either 128 or 256 bit AES.

AESGCM      Ban the use of cipher suites AES in Galois Counter Mode (GCM).

CAMELLIA    Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.

3DES        Ban the use of cipher suites using triple DES

SHA1        Ban the use of cipher suites using SHA1.

SHA256      Ban the use of cipher suites using SHA256.

SHA384      Ban the use of cipher suites using SHA384.

For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.


Note:

• Starting from FortiOS 7.6.3, SSL VPN is no longer supported on all FortiGate models: see SSL VPN tunnel mode replaced with IPsec VPN.
• Additionally, agentless VPN (formerly SSL VPN web mode) is not supported on FortiGate 40F, 60F, and 90G series models. Agentless VPN (formerly SSL VPN web mode) not supported on FortiGate 40F, 60F, and 90G series models.