Skip to main content
SteveRoadWarrior
SteveRoadWarrior
New Member
March 10, 2016
Solved

How to resolve the DROWN attack (SSLv2) on Fortimail

  • March 10, 2016
  • 2 replies
  • 6273 views

Couldn't find anything straightforward about disabling SSL v2 on Fortimail.

 

Executed this command which seems to have helped:

Config system global

                Set strong-crypto enable

End

 

we are running v. 4 code

Let us know if there's a better way, or if this helps you.

 

    Best answer by Carl_Windsor_FTNT

    This is documented on p.271 of the CLI Reference Guide .

    You can control the SSL versions dirctly using:

    config system global
      set ssl-versions {ssl3 | tls1_0 | tls1_1 | tls1_2}
    end

    ...or do as you have done which sets only strong SSL versions / ciphers and digests.

    The option to leave RC4 enabled is also available to support legacy broken versions of Exchange in case you run into trouble.

     

    You might also want to take a look at this thread for some other comments https://forum.fortinet.com/tm.aspx?m=129140#129140

     

    2 replies

    Carl_Windsor_FTNT
    Staff
    Carl_Windsor_FTNTAnswer
    Staff
    March 10, 2016

    This is documented on p.271 of the CLI Reference Guide .

    You can control the SSL versions dirctly using:

    config system global
      set ssl-versions {ssl3 | tls1_0 | tls1_1 | tls1_2}
    end

    ...or do as you have done which sets only strong SSL versions / ciphers and digests.

    The option to leave RC4 enabled is also available to support legacy broken versions of Exchange in case you run into trouble.

     

    You might also want to take a look at this thread for some other comments https://forum.fortinet.com/tm.aspx?m=129140#129140

     

    SteveRoadWarrior
    SteveRoadWarriorAuthor
    New Member
    March 10, 2016

     

    thanks Carl!

    kshitijsinghai
    kshitijsinghai
    New Member
    March 14, 2016

    I want to implement Fortimail 200D in server mode and need to create local user accounts. Is there any limit for local user accounts.

     

     

    abelio
    SuperUser
    abelio
    SuperUser
    March 18, 2016

    k****ijsinghai wrote:

    I want to implement Fortimail 200D in server mode and need to create local user accounts. Is there any limit for local user accounts.

     

     

    Hello,

    indeed, there is a limit by model, by this thread is about another topic

    Open your question in a clean thread to avoid noise.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 20, 2016

    @Steve, @Carl: there is no such setting in v4.3 yet, only in later releases (CLI Ref. pg. 277).

     

    'strong-crypto' will restrict the encryption cyphers to 3DES and AES and the hash algo to SHA1.

    Terms & ConditionsAccessibility statement