Description
This article shows how to control the SSL version and the Cipher
Suites used in the SSL Handshake for the SSL VPN configured on
FortiGate Firewalls.
ScopeThe FortiGate unit supports multiple SSL Versions and cryptographic cipher suites to match the capabilities of various web browsers by default.
The web browser and the FortiGate negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link.SolutionSSL Version and encryption key algorithms for SSL VPN can only be configured in the FortiGate CLI.- Use the following commands to change the SSL version for the SSL VPN before version 6.2:# config vpn ssl settings
set sslv3 {enable | disable} sslv3
set tlsv1-0 {enable | disable} Enable/disable TLSv1.0.
set tlsv1-1 {enable | disable} Enable/disable TLSv1.1.
set tlsv1-2 {enable | disable} Enable/disable TLSv1.2.
On 6.2 or above you should use the following to change the SSL version for the SSL VPN:# config vpn ssl setting
ssl-max-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.
ssl-min-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.
- Use the following commands to change the SSL Cipher Suite for the SSL VPN: # config vpn ssl settings
set banned-cipher {option} Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
RSA Ban the use of cipher suites using RSA key.
DH Ban the use of cipher suites using DH.
DHE Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH Ban the use of cipher suites using ECDH key exchange.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES
SHA1 Ban the use of cipher suites using SHA1.
SHA256 Ban the use of cipher suites using SHA256.
SHA384 Ban the use of cipher suites using SHA384.
STATIC Ban the use of cipher suites using static keys.
Pre FortiOS 5.4, the cipher suites options are only "low, medium, high" or " low, medium, default"Use the following CLI command:# config vpn ssl settings
set algorithm <cipher_suite>
end
where one of the following variables replaces <cipher_suite>:low Use any cipher suite; AES, 3DES, RC4, or DES.medium Use a 128-bit or greater cipher suite; AES, 3DES, or RC4.high Use a ciper suite grather than 128 bits; AES or 3DES.ordefault High and medium algorithms.high High algorithms.low All algorithms.Note. It is highly advisable to disable TLS Versions 1.0 and 1.1 as they are officially deprecated protocols and deemed as unsecure, furthermore, as a best practice, RSA cipher suites should be disabled as well.Note. Removing some of the old ciphers and ssl versions might have an impact with old version of clients like old browsers or old version forticlient, so please verify the SSL version and ciphers supported by clients before making these changes
