Description | This article addresses the connectivity problem when enforcing the use of tls 1.3 protocol on SSL VPN connection for remote SSL VPN users using Windows 10 machines with FortiClient. |
Scope | FortiGate , Windows 10 Machines. |
Solution |
Objective: SSL VPN Connectivity Problem When Enforcing TLS 1.3 Protocol on Windows 10 Machines and possible workaround .
Introduction: Some corporates prefer to enforce the use of the secure TLS 1.3 protocol to use secure cipher suites for the remote SSL VPN connection to access internal resources. The administrator in this case only enables TLS 1.3 protocol on the connection on both FortiGates and the remote Windows 10 machines. On Windows 10 machines, the administrator can enforce the use of TLS 1.3 under Internet Options -> Advanced -> Settings, select Use TLS 1.3 option as per the following:
It is evident from the above screenshot that the TLS 1.3 protocol is an experimental security protocol in Windows 10 machines and may lack some of the secure algorithms in the full-fledged TLS 1.3 protocol.
To enforce the use of TLS 1.3 protocol on FortiGate, make sure ssl-min-protocol-ver and ssl-max-protocol-ver are set to TLS 1.3 as per the following:
In the above scenario, the SSL VPN connection will have problems, and remote Windows 10 FortiClient users cannot connect to SSL VPN to access internal corporate resources. The above connectivity problem is not applicable for remote SSL VPN users using Windows 11 machines and MacOS machines.
Workaround for Windows 10: The workaround for the above connectivity problem with Windows 10 machines, when the requirement is to use secure TLS 1.3 protocol, is as follows. By disabling the weak TLS 1.2 protocol ciphers and enabling TLS 1.2 along with TLS 1.3 on both FortiGates and Windows 10 machines.
Debug Output: By implementing the above workaround, as per the following debug output, the SSL VPN connection will use TLS 1.2 for initial TLS negotiation between FortiGate and Windows 10 machines and then it will switch to tls 1.3 protocol:
[5591:root:1e]allocSSLConn:307 sconn 0x7fb7156a00 (0:root)
Conclusion: If the corporate security requirement is to use the secure TLS 1.3 protocol for SSL VPN connection, then disabling weak TLS 1.2 ciphers and enabling TLS 1.2 in addition to tls 1.3 on both FortiGates and remote Winnows 10 machines will be a valid alternative secure option without any connectivity problems. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.