Created on
‎08-12-2015
12:26 AM
Edited on
‎06-25-2024
12:52 AM
By
Jean-Philippe_P
Description
By default, the command 'strong-crypto' is in a disabled status. However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers.
Solution
set strong-crypto enable
end
The following cipher suites are offered by the FortiGate when 'strong-crypto' is DISABLED:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLS v1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLS v1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLS v1.3:
| ciphers
| TLS_AES_256_GCM_SHA384
| TLS_CHACHA20_POLY1305_SHA256
| TLS_AES_128_GCM_SHA256
The following cipher suites are offered by the FortiGate when 'strong-crypto' is ENABLED:
TLS v1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLS v1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
TLS v1.3:
| ciphers
| TLS_AES_256_GCM_SHA384
| TLS_CHACHA20_POLY1305_SHA256
| TLS_AES_128_GCM_SHA256
Cryptographic protocols SSLv3 and TLSv1.0 will not be offered by the FortiGate when 'strong-crypto' is enabled.
Cryptographic protocols TLSv1.1, TLSv1.2 and TLSv1.3 will be offered by the FortiGate when 'strong-crypto' is enabled.
When FortiGate's 'strong-crypto' is enabled, the aim is to ensure that only cryptographic protocols deemed currently strong and secure are offered. Since SSLv3 and TLSv1.0 have recognized vulnerabilities, they are disabled in 'strong-crypto' mode, while the more secure TLSv1.2 and TLSv1.3 are enabled.