Technical Tip: How to limit the SSL and TLS versions of connections initiated by FortiClient

athirat · ‎06-13-2016

Description

This article describes how to control the SSL and TLS versions used by the FortiClient when connecting to SSL VPN.

Scope

FortiClient - All versions.

Solution

FortiClient uses the Internet Explorer SSL and TLS settings to initiate the SSL connection.

The versions used can be disabled and enabled by navigating to the following option in the browser:

Internet options -> Advanced -> Security.

The options are shown in the following screenshot:

CLI Configuration

Using the FortiGate CLI, the same options can be selected as follows. See the related firmware note below.

config vpn ssl settings
    set sslv3 disable
    set tlsv1-0 disable
    set tlsv1-1 enable
    set tlsv1-2 enable
end

Verification of Configuration and troubleshooting.

If there is a version mismatch, the connection would be seen to be terminating with no definite error in the SSL VPN debugs.

Packet captures would show the versions that are incoming.

Note: Changes in commands as per the firmware:

Use the following commands to change the SSL version for the SSL VPN before version 6.2:

config vpn ssl settings
    set sslv3   {enable | disable}   sslv3
    set tlsv1-0 {enable | disable}   Enable/disable TLSv1.0.
    set tlsv1-1 {enable | disable}   Enable/disable TLSv1.1.
    set tlsv1-2 {enable | disable}   Enable/disable TLSv1.2.

On 6.2 or above, use the following to change the SSL version for the SSL VPN:

config vpn ssl setting
ssl-max-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.

ssl-min-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.