New Member

Solved

SSL/TLS Full Inspection - permissible cipher suites

Forum|Forum|10 years ago
August 11, 2015
9 replies
48600 views

Same setup as my last post --

Fortigate running with full SSL/TLS inspection.

How do we limit the cipher suites the Fortigate accepts from the web servers it connects to?

In the current, default configuration, the Fortigate accepts quite a few undesirable combinations including:

DES, RC4, SHA, MD5.

Why would a security product, produced in the last decade, EVER allow the likes of DES?

How do you change what the Fortigate accepts to a much stronger cipher suite?

Thanks.

Tom

PS. If you want to check it yourself, turn on full SSL inpsection and head to https://howsmyssl.com

Best answer by emnoc

Very good points & observations

Keep in mind, the ciphers offered by the webserver is going to be the factor on what's selected and used.There's nothing you can do, that can steer or bypass that (except with a true proxy that conducts ssl inspections ....read more )

I don't think the fortigate is going to stop a client that proxy thru from establishment to a web-site with a small-keys or weak ciphers. A true dedicate forward proxy ( i.e cisco, bluecoat , optenet, etc...) & that have SSL/TLS security features is what's required. I think this is where the OP was hinting at & within these latest posts. The fortigate which is good, is not as secured or security cautious as a full on 3rd party proxy solution , who has better SSL/TLS inspection and controls.

The FGT "SSL inspections" just checks basic security checks which are no or more less than your typical browser. Example a explict proxy might allow you to access a site with expired cert or revoke cert or sslv2 or be effected by sslv3 and poodle vulnerabilities.

You will need a proxy that has security feature that inspect and restrict the client from using ssl3 just for example, I don't think this is possible within the fortigate ( somebody can correct me if I'm wrong ). Poster networker has brought up 2 posts that should be on the minds of all that uses "just" a fortigate and with attempts at security enforcement from a web-client.

Btw, I like that cipherscan script for cipher testing ;)

Morten_Marstrander

New Member

Hi,

I tested this with SSL-deep-inspection behind a Fortigate 1500D running 5.2.3, and I don't get the insecure ciphers you mentioned. See attached screenshot.

Capture.JPG

hohosecure

New Member

Does http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD36915 help at all?

HoHo.

Morten_Marstrander

New Member

@HoHo

I suspect that is why we get different results. I have strong-crypto set to enable, and TC does not.

Thanks for clearing that up :)

netwrkrAuthor

New Member

hrmmm.....I too have strong-crypto enabled and see different results on the https://howsmyssl.com website. Let me check the browser settings and report back.

netwrkrAuthor

New Member

I'm stumped.

1. strong-crypto is enabled (has been since we deployed)

2. I disabled every cipher suite in Firefox except the ECDHE-AES128|AES256 ones and the howsmyssl.com site still shows multiple weak cipher suites including DES, 3DES and RC4.

3. I also checked using the ssllabs.com website. The results were the same as was reported by howsmyssl.com.

To confirm similar configurations my deep inspection profile is as follows



config firewall ssl-ssh-profile
    edit "tls-mitm"
            config ssl
                set inspect-all deep-inspection
                set ssl-ca-list enable
            end
            config https
                set ssl-ca-list enable
            end
            config ftps
            end
            config imaps
            end
            config pop3s
            end
            config smtps
            end
            config ssh
                set ports 22
            end
        set caname "my.ca CA"
        set ssl-invalid-server-cert-log enable
    next
end

emnoc

New Member

A good Qs and see my last reply to the lock scenario in your OCSP thread.

I think if you need proper proetction for a web-browser you need to install a 3rd party and MiTM proxy.

ken

AndreaSoliva

New Member

Hi all

as I was reading this post I was quit confiused because the direction goes to "how to prevent the FGT to use some cipher to access som webservers which support none secure ciphers etc. ". Special the use of strong-crypto was confiusing me because this direction is completly false from my point of view. This means if you use strong-crypto it influence as the CLI is mentioning:

Enable to use strong encryption and only allow

strong ciphers (AES, 3DES) and digest (SHA1) for

HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is

supported by the following web browsers: Netscape

7.2, Netscape 8.0, Firefox, and Microsoft Internet

Explorer 7.0 (beta).

Note that Microsoft Internet Explorer 5.0 and 6.0 are

not supported in strong encryption.

This means this options is HTTPS/SSH "ADMIN" based nothing else. This can be also tested:

Use cipherscan to a admin interface HTTPS (https://github.com/jvehent/cipherscan)

# /opt/scripts/cipherscan 198.18.0.1:8443 custom openssl not executable, falling back to system one from /bin/openssl ................................. Target: 198.18.0.1:8443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 3 ECDHE-RSA-AES256-SHA TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None 5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None 6 DHE-RSA-AES256-SHA TLSv1.1,TLSv1.2 DH,1024bits None 7 DHE-RSA-CAMELLIA256-SHA TLSv1.1,TLSv1.2 DH,1024bits None 8 AES256-GCM-SHA384 TLSv1.2 None None 9 AES256-SHA256 TLSv1.2 None None 10 AES256-SHA TLSv1.1,TLSv1.2 None None 11 CAMELLIA256-SHA TLSv1.1,TLSv1.2 None None 12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 14 ECDHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None 16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None 17 DHE-RSA-AES128-SHA TLSv1.1,TLSv1.2 DH,1024bits None 18 ECDHE-RSA-DES-CBC3-SHA TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 19 DHE-RSA-SEED-SHA TLSv1.1,TLSv1.2 DH,1024bits None 20 DHE-RSA-CAMELLIA128-SHA TLSv1.1,TLSv1.2 DH,1024bits None 21 EDH-RSA-DES-CBC3-SHA TLSv1.1,TLSv1.2 DH,1024bits None 22 AES128-GCM-SHA256 TLSv1.2 None None 23 AES128-SHA256 TLSv1.2 None None 24 AES128-SHA TLSv1.1,TLSv1.2 None None 25 SEED-SHA TLSv1.1,TLSv1.2 None None 26 CAMELLIA128-SHA TLSv1.1,TLSv1.2 None None 27 DES-CBC3-SHA TLSv1.1,TLSv1.2 None None 28 ECDHE-RSA-RC4-SHA TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 29 RC4-SHA TLSv1.1,TLSv1.2 None None 30 RC4-MD5 TLSv1.1,TLSv1.2 None None 31 EDH-RSA-DES-CBC-SHA TLSv1.1,TLSv1.2 DH,1024bits None 32 DES-CBC-SHA TLSv1.1,TLSv1.2 None None Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: client

Allow only TLS 1.2:

# config system global # set admin-https-ssl-versions tlsv1-2 # end

Check again the config:

# /opt/scripts/cipherscan 198.18.0.1:8443 custom openssl not executable, falling back to system one from /bin/openssl ................................. Target: 198.18.0.1:8443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 3 ECDHE-RSA-AES256-SHA TLSv1.2 ECDH,prime256v1,256bits prime256v1 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None 5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None 6 DHE-RSA-AES256-SHA TLSv1.2 DH,1024bits None 7 DHE-RSA-CAMELLIA256-SHA TLSv1.2 DH,1024bits None 8 AES256-GCM-SHA384 TLSv1.2 None None 9 AES256-SHA256 TLSv1.2 None None 10 AES256-SHA TLSv1.2 None None 11 CAMELLIA256-SHA TLSv1.2 None None 12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 14 ECDHE-RSA-AES128-SHA TLSv1.2 ECDH,prime256v1,256bits prime256v1 15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None 16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None 17 DHE-RSA-AES128-SHA TLSv1.2 DH,1024bits None 18 ECDHE-RSA-DES-CBC3-SHA TLSv1.2 ECDH,prime256v1,256bits prime256v1 19 DHE-RSA-SEED-SHA TLSv1.2 DH,1024bits None 20 DHE-RSA-CAMELLIA128-SHA TLSv1.2 DH,1024bits None 21 EDH-RSA-DES-CBC3-SHA TLSv1.2 DH,1024bits None 22 AES128-GCM-SHA256 TLSv1.2 None None 23 AES128-SHA256 TLSv1.2 None None 24 AES128-SHA TLSv1.2 None None 25 SEED-SHA TLSv1.2 None None 26 CAMELLIA128-SHA TLSv1.2 None None 27 DES-CBC3-SHA TLSv1.2 None None 28 ECDHE-RSA-RC4-SHA TLSv1.2 ECDH,prime256v1,256bits prime256v1 29 RC4-SHA TLSv1.2 None None 30 RC4-MD5 TLSv1.2 None None 31 EDH-RSA-DES-CBC-SHA TLSv1.2 DH,1024bits None 32 DES-CBC-SHA TLSv1.2 None None Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: client

Check if unsecure ciphers are supported even above is shown :)

# openssl s_client -connect 198.18.0.1:8443 -cipher "DES" CONNECTED(00000003) depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiGate/CN=FG300C3913601712/emailAddress=support@fortinet.com i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com 1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com --- Server certificate -----BEGIN CERTIFICATE----- MIIDRTCCAi2gAwIBAgIDC9W6MA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0 LmNvbTAeFw0xMzAzMDUwMjAyMzFaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG RzMwMEMzOTEzNjAxNzEyMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0 LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvbxgu84VKi3SL78ZpAdB 5yaqOQfNf44KFwxFAqk94D8vjcNi0i0igSVdNZD80hRJUqbkVprgAaOPG4BvnadN 2LIB0S1ajvjJfOctdfstpiVYRU2W3i5sjqkoRLyn1Vy0olZ3MVQMZUP0saPqQPnF vrBSwDJ/CJ31mMMyyIP+JncCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0B AQUFAAOCAQEANb9WMN1Tedd+qvQuYvtjCJm5XEgWuQNG3LfSsHFU7ZB2Sjybj39/ cfzHZuFdUtib6QPO1AuOvWyXZwIK8bcx6eFxoq7Ox6rTJVgJkw9XxoUbC2s2Du/o CtfPNc5cJJ/Xjlmufr3mNUT+26kG1RG1E8+QViTsRzwT/L9+SIX4KDvqUaZI+gqj 6VSgVD2EkUK2OtHS1CvtFsCbVpwBTmcKErjPcnUl1RyvWoBtMLDbHOc09r/joJoS ruKoDlXKinkPMDeuazIR3JFYj40V3+OXXlSoc1H1DuXKKyZsZXFp9gKfoQXAllkO qlBsAiyXAsieWQsQoiAyyAyNpp8zGgIKxA== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiGate/CN=FG300C3913601712/emailAddress=support@fortinet.com issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 2394 bytes and written 271 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : EDH-RSA-DES-CBC-SHA Session-ID: F4B05A8E17FE406186242860D92EC90B9FF09EE731FE2C9DC3CE3B0EB57D50DC Session-ID-ctx: Master-Key: 36EDD661CE7E6688395FF8FF1F76349A1E7054F62EE4D55590A24BB1C15B6FDF9EC3B3B92A7ECF3731424F4F5D9C3626 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1435042817 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---

Followin ciphers should be prevented to be used:

aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

To prevent enable strong-crypto:

# config system global # set strong-crypto enable # end

Check config if config was successful:

# /opt/scripts/cipherscan 198.18.0.1:8443 custom openssl not executable, falling back to system one from /bin/openssl ................ Target: 198.18.0.1:8443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 3 ECDHE-RSA-AES256-SHA TLSv1.2 ECDH,prime256v1,256bits prime256v1 4 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None 5 DHE-RSA-AES256-SHA TLSv1.2 DH,1024bits None 6 AES256-SHA256 TLSv1.2 None None 7 AES256-SHA TLSv1.2 None None 8 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 9 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 10 ECDHE-RSA-AES128-SHA TLSv1.2 ECDH,prime256v1,256bits prime256v1 11 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None 12 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None 13 DHE-RSA-AES128-SHA TLSv1.2 DH,1024bits None 14 AES128-SHA256 TLSv1.2 None None 15 AES128-SHA TLSv1.2 None None Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: client

Check if as example DES is supported:

# openssl s_client -connect 198.18.0.1:8443 -cipher "DES" CONNECTED(00000003) 140357317728160:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 73 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

Check all at once RC4 if unsecure are supported:

# for i in `openssl ciphers -v 'RC4' | awk '{print $1}'`; do echo -ne "$i\t" ; echo | openssl s_client -connect [FQDN des Hosts oder IPv4]:443 -cipher "$i" 2>&1 | grep New; done ECDHE-RSA-RC4-SHA New, (NONE), Cipher is (NONE) ECDHE-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE) AECDH-RC4-SHA New, (NONE), Cipher is (NONE) ADH-RC4-MD5 New, (NONE), Cipher is (NONE) ECDH-RSA-RC4-SHA New, (NONE), Cipher is (NONE) ECDH-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE) RC4-SHA New, (NONE), Cipher is (NONE) RC4-MD5 New, (NONE), Cipher is (NONE)

If you want you can use the same for SSL-VPN which means:

Default is:

sslv2 : disable sslv3 : enable tlsv1-0 : enable tlsv1-1 : enable tlsv1-2 : enable algorithm : default

Default uses following:

# /opt/scripts/cipherscan 198.18.0.1:443 custom openssl not executable, falling back to system one from /bin/openssl ............................... Target: 198.18.0.1:443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,prime256v1,256bits prime256v1 3 ECDHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None 5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None 6 DHE-RSA-AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 7 DHE-RSA-CAMELLIA256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 8 AES256-GCM-SHA384 TLSv1.2 None None 9 AES256-SHA256 TLSv1.2 None None 10 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 11 CAMELLIA256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,prime256v1,256bits prime256v1 14 ECDHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None 16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None 17 DHE-RSA-AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 18 DHE-RSA-CAMELLIA128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 19 AES128-GCM-SHA256 TLSv1.2 None None 20 AES128-SHA256 TLSv1.2 None None 21 AES128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 22 CAMELLIA128-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 23 DHE-RSA-SEED-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 24 SEED-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 25 ECDHE-RSA-RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 26 RC4-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 27 RC4-MD5 SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None 28 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,prime256v1,256bits prime256v1 29 EDH-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 DH,1024bits None 30 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 None None Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: server

Disable everything except TLS 1.2 as go to high algorithm:

# config vpn ssl settings # set tlsv1-0 disable # set tlsv1-1 disable # set sslv3 disable # set algorithm high # end

Check again the config:

# /opt/scripts/cipherscan 198.18.0.1:443 custom openssl not executable, falling back to system one from /bin/openssl .......................... Target: 198.18.0.1:443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,secp384r1,384bits secp384r1 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,secp384r1,384bits secp384r1 3 ECDHE-RSA-AES256-SHA TLSv1.2 ECDH,secp384r1,384bits secp384r1 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits None 5 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits None 6 DHE-RSA-AES256-SHA TLSv1.2 DH,1024bits None 7 DHE-RSA-CAMELLIA256-SHA TLSv1.2 DH,1024bits None 8 AES256-GCM-SHA384 TLSv1.2 None None 9 AES256-SHA256 TLSv1.2 None None 10 AES256-SHA TLSv1.2 None None 11 CAMELLIA256-SHA TLSv1.2 None None 12 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,secp384r1,384bits secp384r1 13 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,secp384r1,384bits secp384r1 14 ECDHE-RSA-AES128-SHA TLSv1.2 ECDH,secp384r1,384bits secp384r1 15 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits None 16 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits None 17 DHE-RSA-AES128-SHA TLSv1.2 DH,1024bits None 18 DHE-RSA-CAMELLIA128-SHA TLSv1.2 DH,1024bits None 19 AES128-GCM-SHA256 TLSv1.2 None None 20 AES128-SHA256 TLSv1.2 None None 21 AES128-SHA TLSv1.2 None None 22 CAMELLIA128-SHA TLSv1.2 None None 23 ECDHE-RSA-DES-CBC3-SHA TLSv1.2 ECDH,secp384r1,384bits secp384r1 24 EDH-RSA-DES-CBC3-SHA TLSv1.2 DH,1024bits None 25 DES-CBC3-SHA TLSv1.2 None None Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Cipher ordering: server

Use for more security not 1024 bit DH increase to higher value:

# config firewall ssl settings # set ssl-dh-bits [1024 | 1536 | 2048 | 768] # end

Check if unsecure cipher are still supported:

# openssl s_client -connect 198.18.0.1:443 -cipher "RC4" CONNECTED(00000003) 140687385839520:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 73 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---

Check at once if RC4 is supported:

# for i in `openssl ciphers -v 'RC4' | awk '{print $1}'`; do echo -ne "$i\t" ; echo | openssl s_client -connect [FQDN des Hosts oder IPv4]:443 -cipher "$i" 2>&1 | grep New; done ECDHE-RSA-RC4-SHA New, (NONE), Cipher is (NONE) ECDHE-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE) AECDH-RC4-SHA New, (NONE), Cipher is (NONE) ADH-RC4-MD5 New, (NONE), Cipher is (NONE) ECDH-RSA-RC4-SHA New, (NONE), Cipher is (NONE) ECDH-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE) RC4-SHA New, (NONE), Cipher is (NONE) RC4-MD5 New, (NONE), Cipher is (NONE)

From my point of view there is no configuration which tells the FortiGate in deep-inspection to not use some ciphers etc. This is from my point of view a config which you can full file over the Browser which means deactivating unter option TLS SSL etc. If a webserver is correct configured a fallback to a lower cipher should be not allow. Anyway as more as you increase the security with as an example TLS 1.2 only as with only some ciphers on a Server as more as you will have compatibility issues even it would be from security point of view correct.

Finally the option discussed here strong-crypto has nothing to do with the cipers or TLS SSL version the FortiGate uses to access a webserver etc. using deep-inspection. This options influence as the CLI documents the HTTPS SSH Admin access only.

hope this helps

have fun

Andrea

emnocAnswer

New Member

Very good points & observations

Keep in mind, the ciphers offered by the webserver is going to be the factor on what's selected and used.There's nothing you can do, that can steer or bypass that (except with a true proxy that conducts ssl inspections ....read more )

I don't think the fortigate is going to stop a client that proxy thru from establishment to a web-site with a small-keys or weak ciphers. A true dedicate forward proxy ( i.e cisco, bluecoat , optenet, etc...) & that have SSL/TLS security features is what's required. I think this is where the OP was hinting at & within these latest posts. The fortigate which is good, is not as secured or security cautious as a full on 3rd party proxy solution , who has better SSL/TLS inspection and controls.

The FGT "SSL inspections" just checks basic security checks which are no or more less than your typical browser. Example a explict proxy might allow you to access a site with expired cert or revoke cert or sslv2 or be effected by sslv3 and poodle vulnerabilities.

You will need a proxy that has security feature that inspect and restrict the client from using ssl3 just for example, I don't think this is possible within the fortigate ( somebody can correct me if I'm wrong ). Poster networker has brought up 2 posts that should be on the minds of all that uses "just" a fortigate and with attempts at security enforcement from a web-client.

Btw, I like that cipherscan script for cipher testing ;)

netwrkrAuthor

New Member

The Palo Alto firewalls have the very features I'm looking for but the cost of them is sky high.

From the PAN 7.0 docs

## Destination web server key size

"By default, the firewall determines the key size to use for the client certificates it generates based on the key size of the destination server certificate. You can optionally set a static key size to use regardless of the key size of the destination server certificate."

## Allow the user to 'click-through' untrusted web server certificates

"If the server certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the server certificate and signs it with the Forward Untrust certificate and sends it to the client. In this case, the client sees a block page warning that the site they’re attempting to connect to is not trusted and the client can choose to proceed or terminate the session."

## Without going too far off course - this is another very nice feature the PA has (Fortinet folks - are you listening???)

"Enable Users to Opt Out of SSL Decryption In some cases, you may need to alert your users to the fact that certain web traffic is being decrypted and allow them to terminate sessions that they do not want inspected. With SSL Opt Out enabled, the first time a userattempts to browse to an HTTPS site or application that matches your decryption policy, the firewall will displaya response page that notifies the user that the session will be decrypted. Users can either allow decryption andcontinue to the page by clicking YES,or opt out of decryption and click No to terminate the session. Users who opt out of SSL decryption are not allowed to continue to the requested web page, or to any other HTTPS site they attempt to access during the next 24-hour period. My point is, at least one other "NGFW" vendor offers the requisite SSL/TLS deep-inspection security features. I can only hope Fortinet does the same in the near future. Tom

emnoc

New Member

I 'll speak to my SSE teams and see what they say, but I agreed PANW has it right but than you are comparing a different beast than a fortigate ;)

The PAN series can also block by SSL neg protoocl sslv2 sslv3 TLS1.x etc.... so you have more control over web-clients access in/out and you have the luxury fail-open or close depending on if you exceed the SSL decryption limits . ( yes these appliance have a max sessions de-encryptions counts irrc )

seadave

New Member

@AndreaSoliva you must be some kind of uber genius to understand all of that. Lots to learn from your excellent post. It is frustrating that these type of "defaults" are not noted more prominently by Fortinet and it requires us sleuthing through the formums to find someone like @AndreaSoliva or @emnoc who are deeply versed in the product.

If you are trying to harden an IIS server, I have found a great little tool called IIS Crypto:

https://www.nartac.com/Products/IISCrypto

It allows you to see all of the Protocols, Ciphers, Hashes, and Exchanges that are enabled and the order of precedence for the various cipher suites. Saves a lot of time from messing in the registry or running scripts. So perhaps using this tool and the settings that @AndreaSoliva mentioned would do the trick. I've used it for my 2008R2 OWA box and it works great.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded