Description
This article provides the CLI configuration to disable 3DES for SSL VPN. FortiOS versions prior to 5.4 did not allow administrators to disable specific ciphers, such as 3DES. 3DES is vulnerable to birthday attacks (CVE-2016-2183).
Scope
Ability to disable specific ciphers for SSL-VPN was added as of FortiOS 5.4.
Solution
The following CLI commands allow disabling 3DES for SSL VPN:
config vpn ssl settings
set banned-cipher 3DES
end
List of cryptographic primitives (cipher, hash, key-exchange, signature) which can be disabled:
config vpn ssl settings
set banned-cipher ?
RSA Ban the use of cipher suites using RSA key.
DH Ban the use of cipher suites using DH.
DHE Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH Ban the use of cipher suites using ECDH key exchange.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES
SHA1 Ban the use of cipher suites using SHA1.
SHA256 Ban the use of cipher suites using SHA256.
SHA384 Ban the use of cipher suites using SHA384.
For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.
