Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ramesh_M
New Contributor

Need to block SSL version 3

Hi Team,

 

Kindly help me to block sslv3 in FortiOS 5.

 

Regards / Ramesh M

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in
25 REPLIES 25
FatalHalt
Contributor II

There's different places where SSLv3 can be turned on / off on the Fortigate. The biggest one is in the gui: 

 

config system global 
    set strong-crypto enable
end

 

But there's some other places as well, all references are on the fortiguard page here: http://www.fortiguard.com...POODLE--Vulnerability/

Ralph1973
Contributor

Hello,

You maybe want to disable it for vpn access as well:

 

config vpn ssl settings     set sslv3 disable

PaulM1114
New Contributor III

I disabled sslv3 for SSL VPN and now FortiClient will not connect.  If I enable it FortiClient connects without a problem.

How do I force FortiClient to not use sslv3?

 

Thanks!

Ralph1973

Hello, you can set tls enabled. LIke this:

config vpn ssl settings     set sslvpn-enable enable     set sslv3 disable     set tlsv1-0 disable     set tlsv1-1 enable     set tlsv1-2 enable

 

Grtz. Ralph

PaulM1114
New Contributor III

This is how I have it configured, but FortiClient does not connect.  Is there a way to force FortiClient to use TLS?

 

Change_Me # get vpn ssl set
sslvpn-enable       : enable 
sslv3               : disable 
tlsv1-0             : enable 
tlsv1-1             : enable 
tlsv1-2             : enable 
Ralph1973

Hello,

 

This the full config I configured for one of our customers, see below.

Note, when you type config vpn ssl settings and then type sh full, you will see all settings of the section

Note2, they use forticlient 4.0.2308

 

config vpn ssl settings     set sslvpn-enable enable     set sslv3 disable     set tlsv1-0 disable     set tlsv1-1 enable     set tlsv1-2 enable     set dns-server1 10.101.100.53     set dns-server2 10.101.100.54     set route-source-interface disable     set reqclientcert disable     set sslv2 disable     set allow-ssl-big-buffer disable     set allow-ssl-insert-empty-fragment enable     set allow-ssl-client-renegotiation disable     set force-two-factor-auth disable     set force-utf8-login disable     set servercert "Fortinet_CA_SSLProxy"     set algorithm default     set idle-timeout 300     set auth-timeout 28800     set tunnel-ip-pools "sslvpn-pool_192.168.200.0"     set dns-suffix ''     set wins-server1 0.0.0.0

PaulM1114
New Contributor III

I have the identical settings for SSL VPN on the FortiGate except for DNS server IPs of course.

I'm using FortiClient 5.2.3.0633.  I can't figure out how to force this version to negotiate TLS 1.x.

 

Here's the output from an SSLVPN debug I ran yesterday while attempting to VPN in.

 

2015-03-16 19:46:34 [3957:root]SSL state:before/accept initialization (172.16.5.82)

2015-03-16 19:46:34 [3957:root]SSL state:SSLv2/v3 read client hello A:(null)(172.16.5.82)

2015-03-16 19:46:34 [3957:root]SSL_accept failed, 1:unknown protocol

2015-03-16 19:46:34 [3957:root]Destroy sconn 0x3106a600, connSize=0.

 

 

Ralph1973

Hello Paul,

I just tested it with 5.2 version of Forticlient and I can't get through either :(

I don't know whether you can force Forticlient to use a specific protocol.

Besides, I have also configured it (to use tls , thus not ssl)  on Fortigates that run on 5.2 and there I can connect with the 5.2 client...

 

 

b_row
New Contributor

I had a similar problem resolved as follows in the windows client stations: 1) have identified that access the link https: // <ip-address>: 10443 was not operating in Internet Explorer. But the test in Firefox worked; 2) Once checked in the advanced settings for Internet Explorer and activated the option to use TLS 1.2; 3) Performed the test again in connection with the SSLVPN client and started to work. Hope this helps.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors