Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SteveRoadWarrior
New Contributor III

Created on ‎03-10-2016 06:08 AM

How to resolve the DROWN attack (SSLv2) on Fortimail

Couldn't find anything straightforward about disabling SSL v2 on Fortimail.

 

Executed this command which seems to have helped:

Config system global

                Set strong-crypto enable

End

 

we are running v. 4 code

Let us know if there's a better way, or if this helps you.

 

5615
0 Kudos
1 Solution
Carl_Windsor_FTNT
Staff
Staff

Created on ‎03-10-2016 06:32 AM

This is documented on p.271 of the CLI Reference Guide .

You can control the SSL versions dirctly using:

config system global
  set ssl-versions {ssl3 | tls1_0 | tls1_1 | tls1_2}
end

...or do as you have done which sets only strong SSL versions / ciphers and digests.

The option to leave RC4 enabled is also available to support legacy broken versions of Exchange in case you run into trouble.

 

You might also want to take a look at this thread for some other comments https://forum.fortinet.com/tm.aspx?m=129140#129140

 

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

View solution in original post

2389
0 Kudos
5 REPLIES 5
Carl_Windsor_FTNT
Staff
Staff

Created on ‎03-10-2016 06:32 AM

This is documented on p.271 of the CLI Reference Guide .

You can control the SSL versions dirctly using:

config system global
  set ssl-versions {ssl3 | tls1_0 | tls1_1 | tls1_2}
end

...or do as you have done which sets only strong SSL versions / ciphers and digests.

The option to leave RC4 enabled is also available to support legacy broken versions of Exchange in case you run into trouble.

 

You might also want to take a look at this thread for some other comments https://forum.fortinet.com/tm.aspx?m=129140#129140

 

Dr. Carl Windsor
Chief Information Security Officer (CISO)
Fortinet

2390
0 Kudos
SteveRoadWarrior
New Contributor III
In response to Carl_Windsor_FTNT

Created on ‎03-10-2016 06:36 AM

 

thanks Carl!

2348
0 Kudos
kshitijsinghai
New Contributor

Created on ‎03-14-2016 10:34 AM

I want to implement Fortimail 200D in server mode and need to create local user accounts. Is there any limit for local user accounts.

 

 

2349
0 Kudos
abelio
SuperUser
SuperUser
In response to kshitijsinghai

Created on ‎03-18-2016 03:06 PM

k****ijsinghai wrote:

I want to implement Fortimail 200D in server mode and need to create local user accounts. Is there any limit for local user accounts.

 

 

Hello,

indeed, there is a limit by model, by this thread is about another topic

Open your question in a clean thread to avoid noise.

regards




/ Abel

regards / Abel
2349
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to abelio

Created on ‎03-20-2016 03:36 AM

@Steve, @Carl: there is no such setting in v4.3 yet, only in later releases (CLI Ref. pg. 277).

 

'strong-crypto' will restrict the encryption cyphers to 3DES and AES and the hash algo to SHA1.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2349
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.