Skip to main content
kyle-hsuan
kyle-hsuan
Explorer
December 23, 2024
Question

Fortiweb ssl cipher suites reorder

  • December 23, 2024
  • 3 replies
  • 1404 views

Hi

 

I want to reorder SSL Cipher suites, is possible?

For example>>

kylehsuan_0-1734974095662.png

 

3 replies

Anthony_E
Staff
Anthony_E
Staff
December 26, 2024

Hello Kyle,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
ebilcari
Staff
ebilcari
Staff
December 26, 2024

Basically this is the list of the ciphers that are presented during negotiation. Setting an order will not make any change. As long as the selected ciphers are still secure (no weak ciphers in the list) you should not worry about the order.

Emirjon
AEK
SuperUser
AEK
SuperUser
December 26, 2024

Hello Kyle

 

Here I'm not providing an official response but just my though.

If I remember well, the the client sends the cipher suites in the order of "its" preference (which is "generally" from stronger to weaker), and then the server will (or should) respond with the available cipher suite following the client's preference list.

 

In FWB docs I couldn't find how we can change the order of preference, it seems for me that FWB follows the client's preference, offering the one available from the first one to the last one preferred by the client.

 

While there is another possibility is that FortiWeb doesn't care of the the client's preference, it just take the list provided by the client and selects the strongest one from that list, as long as it offered by FWB.

 

In both cases, what you have to do is just to select on your FWB the list that you exclusively prefer, depending on your preference in terms of security or performance.

AEK
    kyle-hsuan
    kyle-hsuanAuthor
    Explorer
    December 27, 2024

    Hi AEK

     

    from packet capture

    I think client sends cipher suites of supports to server

    kylehsuan_0-1735266124100.png

    and server respone cipher suite that is fortiweb select cipher suites the first one at the top.

    kylehsuan_1-1735266154864.png

    kylehsuan_2-1735266495093.png

     

     

    AEK
    SuperUser
    AEK
    SuperUser
    December 27, 2024

    Hi Kyle

    Thanks for sharing so we can learn better how it works.

    I also tried to change the order from CLI but it seems not working.


    FWB # show server-policy ssl-ciphers custom
     config server-policy ssl-ciphers custom
      edit "my-cipher1"
       set tls-v10 disable
       set tls-v11 disable
       set ssl-cipher custom
       set ssl-custom-cipher ECDHE-ECDSA-AES256-SHA AES128-SHA256 
      next
    end


    FWB # config server-policy ssl-ciphers custom
    FWB (custom) # edit "my-cipher1"
    FWB (my-cipher1) # set ssl-custom-cipher AES128-SHA256 ECDHE-ECDSA-AES256-SHA
    FWB (my-cipher1) # next
    FWB (custom) # end


    FWB # show server-policy ssl-ciphers custom
    config server-policy ssl-ciphers custom
     edit "my-cipher1"
      set tls-v10 disable
      set tls-v11 disable
      set ssl-cipher custom
      set ssl-custom-cipher ECDHE-ECDSA-AES256-SHA AES128-SHA256 
     next
    end

    So if I understand well, FWB forces the cipher suite negotiation from the stronger to weaker, and doesn't allow you to change this behavior, right?

    AEK
    Terms & ConditionsAccessibility statement