Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kyle-hsuan
New Contributor III

Fortiweb ssl cipher suites reorder

Hi

 

I want to reorder SSL Cipher suites, is possible?

For example>>

kylehsuan_0-1734974095662.png

 

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello Kyle,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
ebilcari
Staff
Staff

Basically this is the list of the ciphers that are presented during negotiation. Setting an order will not make any change. As long as the selected ciphers are still secure (no weak ciphers in the list) you should not worry about the order.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
AEK
SuperUser
SuperUser

Hello Kyle

 

Here I'm not providing an official response but just my though.

If I remember well, the the client sends the cipher suites in the order of "its" preference (which is "generally" from stronger to weaker), and then the server will (or should) respond with the available cipher suite following the client's preference list.

 

In FWB docs I couldn't find how we can change the order of preference, it seems for me that FWB follows the client's preference, offering the one available from the first one to the last one preferred by the client.

 

While there is another possibility is that FortiWeb doesn't care of the the client's preference, it just take the list provided by the client and selects the strongest one from that list, as long as it offered by FWB.

 

In both cases, what you have to do is just to select on your FWB the list that you exclusively prefer, depending on your preference in terms of security or performance.

AEK
AEK
kyle-hsuan
New Contributor III

Hi AEK

 

from packet capture

I think client sends cipher suites of supports to server

kylehsuan_0-1735266124100.png

and server respone cipher suite that is fortiweb select cipher suites the first one at the top.

kylehsuan_1-1735266154864.png

kylehsuan_2-1735266495093.png

 

 

AEK

Hi Kyle

Thanks for sharing so we can learn better how it works.

I also tried to change the order from CLI but it seems not working.


FWB # show server-policy ssl-ciphers custom
config server-policy ssl-ciphers custom
edit "my-cipher1"
set tls-v10 disable
set tls-v11 disable
set ssl-cipher custom
set ssl-custom-cipher ECDHE-ECDSA-AES256-SHA AES128-SHA256
next
end


FWB # config server-policy ssl-ciphers custom
FWB (custom) # edit "my-cipher1"
FWB (my-cipher1) # set ssl-custom-cipher AES128-SHA256 ECDHE-ECDSA-AES256-SHA
FWB (my-cipher1) # next
FWB (custom) # end


FWB # show server-policy ssl-ciphers custom
config server-policy ssl-ciphers custom
edit "my-cipher1"
set tls-v10 disable
set tls-v11 disable
set ssl-cipher custom
set ssl-custom-cipher ECDHE-ECDSA-AES256-SHA AES128-SHA256
next
end

So if I understand well, FWB forces the cipher suite negotiation from the stronger to weaker, and doesn't allow you to change this behavior, right?

AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors