Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ramesh_M
New Contributor

Need to block SSL version 3

Hi Team,

 

Kindly help me to block sslv3 in FortiOS 5.

 

Regards / Ramesh M

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in

Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in
25 REPLIES 25
emnoc
Esteemed Contributor III

I never seen any problems with disabling sslv3. Here's  my cfg;

 

SOC60D (root) # show vpn ssl settings config vpn ssl settings     set sslv3 disable     set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"     set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"     set port 10443     set source-interface "wifi"     set source-address "all"     set source-address6 "all"     set default-portal "default" end

To test it's quite simple;

 

You 1st need to ensure that tls1v is enabled on that port. I would use a unix curl like program available on linux, macosx or most other  unixes

 

 

curl  –k -3  https://1.1.1.1:10443

curl -k -2   https://1.1.1.1:10443

curl -k -1  https://1.1.1.1:10443

 

Then you can test with the client. Alternatively, you can test with the “curl” above or via a tlsv1.x  only enabled browser the choice is up to you. But if you can hit the portal at tls1.x and  if the fortiClient can’t than it always the lack the enabling of tls in the client.

 

BTW I'm  using 5.2.3.370 on MACOSX and it's strong and good;

 

20150317 21:17:18.959 [sslvpn:INFO] unknown:0 [xml config]: GET /remote/fortisslvpn_xml ... (received 668 bytes): HTTP/1.1 200 OK Date: Tue, 17 Mar 2015 20:17:09 GMT Set-Cookie: SVPNCOOKIE=CRkqc6/CvXoOJqh/wUoYtODK4RjBXJ5E2E1pYZ9dxwt8g3OhaqgfCRR3PdirJe6P%0aGR2joncgMQL2B3evrYDLyFFxjq284KeOtpAKPTWJV+2jtCpMz1y31js4ab+dTs5Q%0aMHPGy0OCPgo/mS9PlYsDJZJGziSJepz5BAClrux5DgE=%0a; path=/; secure; httponly Transfer-Encoding: chunked Content-Type: text/xml X-Frame-Options: SAMEORIGIN <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='1'><fos platform='FWF60D' major='5' minor='02' patch='2' build='0642' branch='642' /><client-config save-password='off' keep-alive='off' auto-connect='off' /><ipv4></ipv4><idle-timeout val='300' /><auth-timeout val='28800' /></sslvpn-tunnel> ---- 20150317 21:17:18.965 [sslvpn:INFO] unknown:0 dns suffix: 20150317 21:17:18.969 [sslvpn:INFO] unknown:0 epctrl ping server: 20150317 21:17:18.972 [sslvpn:DEBG] unknown:0 PPP 20150317 21:17:18.975 [sslvpn:INFO] unknown:0 begin io loop 20150317 21:17:18.978 [sslvpn:INFO] unknown:0 launch ssl read thread 20150317 21:17:18.981 [sslvpn:INFO] unknown:0 launch tty read thread 20150317 21:17:18.981 [sslvpn:INFO] unknown:0 ssl read thread started 20150317 21:17:18.983 [sslvpn:INFO] unknown:0 main thread waiting for threads termination 20150317 21:17:18.983 [sslvpn:INFO] unknown:0 ssl write thread started 20150317 21:17:18.983 [sslvpn:INFO] unknown:0 tty read thread started 20150317 21:17:18.987 [sslvpn:INFO] unknown:0 tty write thread started 20150317 21:17:18.987 [sslvpn:DEBG] unknown:0 begin to write to ssl 20150317 21:17:19.030 [sslvpn:INFO] unknown:0 got peer's ip address 20150317 21:17:19.987 [sslvpn:INFO] unknown:0 ppp interface is up 20150317 21:17:19.996 [sslvpn:INFO] unknown:0 Current dns 0: 10.10.80.1 20150317 21:17:21.005 [sslvpn:INFO] unknown:0 try to get ppp's ip address 10.212.134.1 20150317 21:17:21.011 [sslvpn:INFO] unknown:0 No split tunnel is specified 20150317 21:17:21.019 [sslvpn:INFO] unknown:0 no dns configured on fgt, keep current dns, ret = 0 20150317 21:17:21.029 [sslvpn:INFO] unknown:0 ppp address: 10.212.134.1 20150317 21:17:21.036 [sslvpn:INFO] unknown:0 sending sslvpn up message to vpn controller. ping server is  allow_save_password:0 allow_keep_alive:0 allow_auto_connect:0  

And to add;

 

SSL neg should always take the higher version if the client is enabled. So TLSv1.2 over v1.1 over sslv3 , and please don’t use  sslv2. You can use the following debug

 

diag debug app sslvpnd -1

 

And monitor the connection output;

 

[17121:root:43]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
PaulM1114
New Contributor III

I've made a little progress...

I enabled tlsv1.0 and was able to connect.  When I disable it I cannot connect.

Change_Me # get vpn ssl settings sslvpn-enable       : enable sslv3               : disable tlsv1-0             : enable tlsv1-1             : enable tlsv1-2             : enable

However, I do not want to use TLS 1.0 because it suffers from CBC chaining attacks, so I would like to use TLS 1.1 or 1.2.

How can I force FortiClient to connect using TLS 1.1 or 1.2?

 

Thanks,

 

Paul

 

emnoc
Esteemed Contributor III

Delete the other 2 that you don't  require and retest.

 

TLS1vX was include in the  5 code train , so  I believe tlv1.0 should be okay unless you have some type of CVE to reference

 

Just test using a browser or curl after and before starting the  forticlient. You should really diag debug the application sslvpnd and I betcha your forticlient is always selecting the higher proposal regardless. If your running the latest 5.2.X forticlient, it should always support tls1.2 as  the 1st pickings from my own testing with macos and window.  I can't speak of linux.

 

I would be careful with disabling the other proposal if you have any older forticlient installed.

 

ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
PaulM1114
New Contributor III

Thank you for your assistance!  I don't have a CVE specific to CBC weakness, but I've read about it on several forums, for example http://crypto.stackexchan...cbc-in-ssl-be-attacked

 

Here's the output from an SSLVPN debug I ran a couple days ago while attempting to VPN in with both sslv3 and tls1.0 disabled in the FortiGate SSL VPN settings.  So only TLS1.1 and TLS1.2 are enabled.  Should it matter that I am using a Windows XP computer to test with?   2015-03-16 19:46:34 [3957:root]SSL state:before/accept initialization (172.16.5.82) 2015-03-16 19:46:34 [3957:root]SSL state:SSLv2/v3 read client hello A:(null)(172.16.5.82) 2015-03-16 19:46:34 [3957:root]SSL_accept failed, 1:unknown protocol 2015-03-16 19:46:34 [3957:root]Destroy sconn 0x3106a600, connSize=0.

emnoc
Esteemed Contributor III

I don't know,  but I would use a curl or similar client that allows you to test using just the protocol(s) that you have enabled. I believe curl was supported in a 3rd party package for windows. Worst case, you could fumble around with the about:config or equal and manipulate the browser to support just only the one protocol and test the web portal if enabled.

 

Alternatively, you can enable this still of testing with openssl

 

e.g

openssl s_client -tls1 -connect www.wwt.com:443

 

This is good for a quick test and to see what ciphers are being used between client and server.

 

 

On the FCclient, I do not recall any XML parameter that specifically spec one protocol over another. The client should negotiate  a mutual support protocol with what's enabled on the fortigate. I'm sure someone would correct me if this is still not the case.

 

What version of  FCclient are you using? I'm going to conduct my own follow up testing with the 5.2.3.370 version and a Fortigate running 5.2 and see what happens. Stay tuned.

 

 

I hope this helps

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
PaulM1114
New Contributor III

I am not using a browser, I am using the SSL VPN client build into FortiClient 5.2.3.0633.

Unfortunately curl does not work on WindowsXP (something about a kernel32.dll error.)

Anyway, I will install OpenSSL and continue testing.

 

Thanks,

 

Paul

 

PaulM1114
New Contributor III

Using OpenSSL (running on the same WinXP system I've been testing from) I was able to successfully connect to the FortiGate SSL VPN port using TLS 1.1 and 1.2.  So the question is why can't FortiClient 5.2.3.0633 (which is also running on this WinXP laptop) connect using TLS 1.1 or 1.2 to the same FortiGate?

 

Paul

 

b_row
New Contributor

Paul,

 

Windows XP with Internet Explorer 8.0 not support TLS 1.1 and 1.2 . only Windows 7 and higher support. Validate Control Panel> Internet Options> Advanced, because you will not find support TLS 1.1 and TLS 1.2 on Windows XP stations.

 

Hope this helps

PaulM1114
New Contributor III

Although I have Internet Explorer 8 installed on my Windows XP laptop I am not using Internet Explorer for SSL VPN.

I am using FortiClient 5.2.3.0633.

 

Thanks,

 

Paul

jaustgen

PaulM1114 wrote:

Although I have Internet Explorer 8 installed on my Windows XP laptop I am not using Internet Explorer for SSL VPN.

I am using FortiClient 5.2.3.0633.

 

The Fortinet client uses Internet Explorer's settings for SSL/TLS.  Although these setting are in the IE settings window, they are actually intended to be the settings for all of Windows, and most programs (but not Firefox) will follow IE's settings.  If you enable TLS 1.1 and 1.2 in IE settings, they will be enabled for Forticlient as well.  

 

Since you are on IE8, these settings are not available as TLS 1.1 and 1.2 support were not added until IE9.

Since you are on XP, you cannot upgrade past IE8, so you are out of luck.  You will need to upgrade your OS, or allow TLS 1.0 connections on your Fortigate.  

Top Kudoed Authors