Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Staff
Staff

Created on ‎01-05-2016 08:39 AM Edited on ‎08-12-2025 08:24 AM By Moderator

Article Id 193946

Technical Note: Using cURL to verify SSL/TLS protocols and cipher suites accepted by FortiGate

Description

 
This article shows how to use the open source program cURL to test connectivity to (or through) FortiGate using various cipher suites. This is useful when doing vulnerability assessments, and can confirm whether the FortiGate allows connections to be made using a specific version of the SSL/TLS protocol and chosen cipher suite.   


Scope

 

FortiGate HTTPS Management IP Address,
FortiGate SSL VPN Portal IP Address,
HTTPS Website Protected by FortiGate/FortiWeb.


Solution

 

  1. Download and install a pre-compiled version of cURL for the operating system. A popular version for Windows is called 'cURL for Windows'. Alternatively, compile cURL manually.
  2. Determine the IP address and port number to which a connection is to be made. This can be the IP and port number of the FortiGate management address, SSL VPN, or a server behind the FortiGate.
  3. Determine the version of TLS/SSL to be tested, as well as what ciphers.
  4. Test with cURL using the parameters determined above.

Example 1: Testing the FortiGate SSL VPN interface for SSLv3 (any cipher suite):

curl https://10.0.0.5:10443 -k -v --location-trusted --sslv3

[output removed]

alert handshake failure (connection is NOT accepted)

 

Example 2: Testing the FortiGate management interface for TLSv1.2 using the 3DES bulk cipher/encryption algorithm:

curl https://10.0.0.1:443 -k -v --location-trusted --tlsv1.2 --ciphers 3DES

[output removed]

* Connection #0 to host 10.0.0.1 left intact (connection is accepted)

 

Example 3: Testing FortiGate SSLVPN for TLSv1.2 using the cipher suite AECDH-AES128-SHA.

curl https:// 10.0.0.5:10443 -k -v --location-trusted --tlsv1.2 --ciphers AECDH-AES128-SHA

[output removed]

* Connection #0 to host 10.0.0.1 left intact (connection is accepted)

 

Note that cURL uses OpenSSL. It therefore requires their terminology when selecting cipher suites for testing. AECDH-AES128-SHA is the OpenSSL terminology for the RFC name TLS_ECDH_anon_WITH_AES_128_CBC_SHA.

A full list of the options available for cURL, including protocols, can be found in the cURL tool documentation at http://curl.haxx.se/docs/manpage.html.

A full list of ciphers available can be found in the OpenSSL Cryptography and SSL/TLS Toolkit documentation at https://www.openssl.org/docs/manmaster/apps/ciphers.html.

 

More details on the cipher suite are available at Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.

 

Related article:

Technical Tip: How to verify if a web page is cache-able using cURL

19081
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.