Description

This article provides the details of TLS 1.3 support for SSL VPN.

Scope

FortiGate.

Solution

In order to enable the TLS 1.3 it requires IPS engine 4.205 or later and FortiClient version should be 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate.

To enable TLS 1.3 in CLI:

config vpn ssl setting
    set tlsv1-3 enable
end

In newer FortiOS version, enable TLS 1.3 using the following command:

config vpn ssl settings

    set ssl-min-proto-ver tls1-3

    set ssl-max-proto-ver tls1-3

end

For Linux clients, ensure OpenSSL 1.1.1a is installed.

Run the following commands in the Linux client terminal:

root@PC1:~/tools# openssl
OpenSSL> version

If OpenSSL 1.1.1a is installed, the system displays a response like the following:

OpenSSL 1.1.1a 20 Nov 2018

For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN.

Run the following command in the Linux client terminal:

openssl s_client -connect 10.1.100.10:10443 -tls1_3

Ensure the SSL VPN connection is established with TLS 1.3 using the CLI.

diagnose debug application sslvpn -1
diagnose debug enable

The debug logs will show the following:

[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
Deep inspection (flow-based)

FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

• Web filter profile with flow-based inspection mode enabled.
• Deep inspection SSL/SSH inspection profile.
  
  

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine.
The IPS engine then decodes TLS 1.3 and the client is able to access the website.