Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Need to block SSL version 3

Hi Team,


Kindly help me to block sslv3 in FortiOS 5.


Regards / Ramesh M

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL
Contributor II

There's different places where SSLv3 can be turned on / off on the Fortigate. The biggest one is in the gui: 


config system global 
    set strong-crypto enable


But there's some other places as well, all references are on the fortiguard page here:



You maybe want to disable it for vpn access as well:


config vpn ssl settings     set sslv3 disable

New Contributor III

I disabled sslv3 for SSL VPN and now FortiClient will not connect.  If I enable it FortiClient connects without a problem.

How do I force FortiClient to not use sslv3?




Hello, you can set tls enabled. LIke this:

config vpn ssl settings     set sslvpn-enable enable     set sslv3 disable     set tlsv1-0 disable     set tlsv1-1 enable     set tlsv1-2 enable


Grtz. Ralph

New Contributor III

This is how I have it configured, but FortiClient does not connect.  Is there a way to force FortiClient to use TLS?


Change_Me # get vpn ssl set
sslvpn-enable       : enable 
sslv3               : disable 
tlsv1-0             : enable 
tlsv1-1             : enable 
tlsv1-2             : enable 



This the full config I configured for one of our customers, see below.

Note, when you type config vpn ssl settings and then type sh full, you will see all settings of the section

Note2, they use forticlient 4.0.2308


config vpn ssl settings     set sslvpn-enable enable     set sslv3 disable     set tlsv1-0 disable     set tlsv1-1 enable     set tlsv1-2 enable     set dns-server1     set dns-server2     set route-source-interface disable     set reqclientcert disable     set sslv2 disable     set allow-ssl-big-buffer disable     set allow-ssl-insert-empty-fragment enable     set allow-ssl-client-renegotiation disable     set force-two-factor-auth disable     set force-utf8-login disable     set servercert "Fortinet_CA_SSLProxy"     set algorithm default     set idle-timeout 300     set auth-timeout 28800     set tunnel-ip-pools "sslvpn-pool_192.168.200.0"     set dns-suffix ''     set wins-server1

New Contributor III

I have the identical settings for SSL VPN on the FortiGate except for DNS server IPs of course.

I'm using FortiClient  I can't figure out how to force this version to negotiate TLS 1.x.


Here's the output from an SSLVPN debug I ran yesterday while attempting to VPN in.


2015-03-16 19:46:34 [3957:root]SSL state:before/accept initialization (

2015-03-16 19:46:34 [3957:root]SSL state:SSLv2/v3 read client hello A:(null)(

2015-03-16 19:46:34 [3957:root]SSL_accept failed, 1:unknown protocol

2015-03-16 19:46:34 [3957:root]Destroy sconn 0x3106a600, connSize=0.




Hello Paul,

I just tested it with 5.2 version of Forticlient and I can't get through either :(

I don't know whether you can force Forticlient to use a specific protocol.

Besides, I have also configured it (to use tls , thus not ssl)  on Fortigates that run on 5.2 and there I can connect with the 5.2 client...



New Contributor

I had a similar problem resolved as follows in the windows client stations: 1) have identified that access the link https: // <ip-address>: 10443 was not operating in Internet Explorer. But the test in Firefox worked; 2) Once checked in the advanced settings for Internet Explorer and activated the option to use TLS 1.2; 3) Performed the test again in connection with the SSLVPN client and started to work. Hope this helps.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors