we are using one of your FortiWeb Products with 5.35 Firmware in Reverse Proxy Mode. I have a few questions to this.
A few weeks ago a SSL vulnerable called Logjam was discovered. The researches recommend to generate a strong Diffie Hellman Group (2048-bit and more) https://weakdh.org/sysadmin.html. FortiWeb only supports 1024-bit. 1024 might be enough, but it is recommend to use more. In fact, we had SSL Labs A-Rating. Now it is capped to B, because of that.
Is there any way to generate 2048 DHE group, better 4096? I would also be nice to have a more control over that. Cloudflare only supports ECDHE. So they don't have these problems. Maybe you could integrate a function in future firmware versions to completely disable DHE and only enable ECDHE.
In general I would like to see more control over the SSL Configuration in FortiWeb. The recommend SSL configuration for Webservers in changing frequently nowadays. It is nearly impossible to keep up with latest security recommendations, when I don't have control over it.
You've probably noticed how in FortiWeb 5.3 we are already adding more fine-grained controls for SSL/TLS. If you require Qualys ratings, please contact your sales channel to see if you need an NFR (new feature request).
Often, you don't need to configure any new options; just upgrade ASAP. Fortinet takes care of it under-the-hood. An RNG usage flaw or MiTM forced downgrade like FREAK or Logjam would be one such example. FortiWeb won't necessarily be vulnerable to those, anyway. (It wasn't vulnerable to FREAK and Heartbleed and others.)
A developer with full access to source code can add that level of fine-grained control. It may already be on the roadmap, but if you contact them, you can give your input. That way it will have the exact behaviour that you need.
That's why I recommend that if the current release does not do what you need, please contact your reseller or file an NFR with us.