- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Need to block SSL version 3
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to block SSL version 3
Hi Team,
Kindly help me to block sslv3 in FortiOS 5.
Regards / Ramesh M
Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL blogs.itzecuriry.in
Ramesh M Technical Specialist - CCNA(Security), FCNSP, ACE, ASE, ITIL
blogs.itzecuriry.in
Labels:
- Labels:
-
5.0
25 REPLIES 25
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never seen any problems with disabling sslv3. Here's my cfg;
SOC60D (root) # show vpn ssl settings config vpn ssl settings set sslv3 disable set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set tunnel-ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1" set port 10443 set source-interface "wifi" set source-address "all" set source-address6 "all" set default-portal "default" end
To test it's quite simple;
You 1st need to ensure that tls1v is enabled on that port. I would use a unix curl like program available on linux, macosx or most other unixes
curl –k -3 https://1.1.1.1:10443
curl -k -2 https://1.1.1.1:10443
curl -k -1 https://1.1.1.1:10443
Then you can test with the client. Alternatively, you can test with the “curl” above or via a tlsv1.x only enabled browser the choice is up to you. But if you can hit the portal at tls1.x and if the fortiClient can’t than it always the lack the enabling of tls in the client.
BTW I'm using 5.2.3.370 on MACOSX and it's strong and good;
20150317 21:17:18.959 [sslvpn:INFO] unknown:0 [xml config]: GET /remote/fortisslvpn_xml ... (received 668 bytes): HTTP/1.1 200 OK Date: Tue, 17 Mar 2015 20:17:09 GMT Set-Cookie: SVPNCOOKIE=CRkqc6/CvXoOJqh/wUoYtODK4RjBXJ5E2E1pYZ9dxwt8g3OhaqgfCRR3PdirJe6P%0aGR2joncgMQL2B3evrYDLyFFxjq284KeOtpAKPTWJV+2jtCpMz1y31js4ab+dTs5Q%0aMHPGy0OCPgo/mS9PlYsDJZJGziSJepz5BAClrux5DgE=%0a; path=/; secure; httponly Transfer-Encoding: chunked Content-Type: text/xml X-Frame-Options: SAMEORIGIN <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='1'><fos platform='FWF60D' major='5' minor='02' patch='2' build='0642' branch='642' /><client-config save-password='off' keep-alive='off' auto-connect='off' /><ipv4></ipv4><idle-timeout val='300' /><auth-timeout val='28800' /></sslvpn-tunnel> ---- 20150317 21:17:18.965 [sslvpn:INFO] unknown:0 dns suffix: 20150317 21:17:18.969 [sslvpn:INFO] unknown:0 epctrl ping server: 20150317 21:17:18.972 [sslvpn:DEBG] unknown:0 PPP 20150317 21:17:18.975 [sslvpn:INFO] unknown:0 begin io loop 20150317 21:17:18.978 [sslvpn:INFO] unknown:0 launch ssl read thread 20150317 21:17:18.981 [sslvpn:INFO] unknown:0 launch tty read thread 20150317 21:17:18.981 [sslvpn:INFO] unknown:0 ssl read thread started 20150317 21:17:18.983 [sslvpn:INFO] unknown:0 main thread waiting for threads termination 20150317 21:17:18.983 [sslvpn:INFO] unknown:0 ssl write thread started 20150317 21:17:18.983 [sslvpn:INFO] unknown:0 tty read thread started 20150317 21:17:18.987 [sslvpn:INFO] unknown:0 tty write thread started 20150317 21:17:18.987 [sslvpn:DEBG] unknown:0 begin to write to ssl 20150317 21:17:19.030 [sslvpn:INFO] unknown:0 got peer's ip address 20150317 21:17:19.987 [sslvpn:INFO] unknown:0 ppp interface is up 20150317 21:17:19.996 [sslvpn:INFO] unknown:0 Current dns 0: 10.10.80.1 20150317 21:17:21.005 [sslvpn:INFO] unknown:0 try to get ppp's ip address 10.212.134.1 20150317 21:17:21.011 [sslvpn:INFO] unknown:0 No split tunnel is specified 20150317 21:17:21.019 [sslvpn:INFO] unknown:0 no dns configured on fgt, keep current dns, ret = 0 20150317 21:17:21.029 [sslvpn:INFO] unknown:0 ppp address: 10.212.134.1 20150317 21:17:21.036 [sslvpn:INFO] unknown:0 sending sslvpn up message to vpn controller. ping server is allow_save_password:0 allow_keep_alive:0 allow_auto_connect:0
And to add;
SSL neg should always take the higher version if the client is enabled. So TLSv1.2 over v1.1 over sslv3 , and please don’t use sslv2. You can use the following debug
diag debug app sslvpnd -1
And monitor the connection output;
[17121:root:43]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've made a little progress...
I enabled tlsv1.0 and was able to connect. When I disable it I cannot connect.
Change_Me # get vpn ssl settings sslvpn-enable : enable sslv3 : disable tlsv1-0 : enable tlsv1-1 : enable tlsv1-2 : enable
However, I do not want to use TLS 1.0 because it suffers from CBC chaining attacks, so I would like to use TLS 1.1 or 1.2.How can I force FortiClient to connect using TLS 1.1 or 1.2? Thanks, PaulOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Delete the other 2 that you don't require and retest.
TLS1vX was include in the 5 code train , so I believe tlv1.0 should be okay unless you have some type of CVE to reference
Just test using a browser or curl after and before starting the forticlient. You should really diag debug the application sslvpnd and I betcha your forticlient is always selecting the higher proposal regardless. If your running the latest 5.2.X forticlient, it should always support tls1.2 as the 1st pickings from my own testing with macos and window. I can't speak of linux.
I would be careful with disabling the other proposal if you have any older forticlient installed.
ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your assistance! I don't have a CVE specific to CBC weakness, but I've read about it on several forums, for example http://crypto.stackexchan...cbc-in-ssl-be-attacked
Here's the output from an SSLVPN debug I ran a couple days ago while attempting to VPN in with both sslv3 and tls1.0 disabled in the FortiGate SSL VPN settings. So only TLS1.1 and TLS1.2 are enabled. Should it matter that I am using a Windows XP computer to test with? 2015-03-16 19:46:34 [3957:root]SSL state:before/accept initialization (172.16.5.82) 2015-03-16 19:46:34 [3957:root]SSL state:SSLv2/v3 read client hello A:(null)(172.16.5.82) 2015-03-16 19:46:34 [3957:root]SSL_accept failed, 1:unknown protocol 2015-03-16 19:46:34 [3957:root]Destroy sconn 0x3106a600, connSize=0.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know, but I would use a curl or similar client that allows you to test using just the protocol(s) that you have enabled. I believe curl was supported in a 3rd party package for windows. Worst case, you could fumble around with the about:config or equal and manipulate the browser to support just only the one protocol and test the web portal if enabled.
Alternatively, you can enable this still of testing with openssl
e.g
openssl s_client -tls1 -connect www.wwt.com:443
This is good for a quick test and to see what ciphers are being used between client and server.
On the FCclient, I do not recall any XML parameter that specifically spec one protocol over another. The client should negotiate a mutual support protocol with what's enabled on the fortigate. I'm sure someone would correct me if this is still not the case.
What version of FCclient are you using? I'm going to conduct my own follow up testing with the 5.2.3.370 version and a Fortigate running 5.2 and see what happens. Stay tuned.
I hope this helps
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not using a browser, I am using the SSL VPN client build into FortiClient 5.2.3.0633.
Unfortunately curl does not work on WindowsXP (something about a kernel32.dll error.)
Anyway, I will install OpenSSL and continue testing.
Thanks,
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using OpenSSL (running on the same WinXP system I've been testing from) I was able to successfully connect to the FortiGate SSL VPN port using TLS 1.1 and 1.2. So the question is why can't FortiClient 5.2.3.0633 (which is also running on this WinXP laptop) connect using TLS 1.1 or 1.2 to the same FortiGate?
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Although I have Internet Explorer 8 installed on my Windows XP laptop I am not using Internet Explorer for SSL VPN.
I am using FortiClient 5.2.3.0633.
Thanks,
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PaulM1114 wrote:Although I have Internet Explorer 8 installed on my Windows XP laptop I am not using Internet Explorer for SSL VPN.
I am using FortiClient 5.2.3.0633.
The Fortinet client uses Internet Explorer's settings for SSL/TLS. Although these setting are in the IE settings window, they are actually intended to be the settings for all of Windows, and most programs (but not Firefox) will follow IE's settings. If you enable TLS 1.1 and 1.2 in IE settings, they will be enabled for Forticlient as well.
Since you are on IE8, these settings are not available as TLS 1.1 and 1.2 support were not added until IE9.
Since you are on XP, you cannot upgrade past IE8, so you are out of luck. You will need to upgrade your OS, or allow TLS 1.0 connections on your Fortigate.
Related Posts
- Windows error Forticlient script error access... 43 Views
- FORTIWEB HTTP-CONTENT-ROUTING - X509 certificate 45 Views
- FortiNAC 7.4 deployment 60 Views
- EMS is not showing monitor logs... 33 Views
- FortiGate Integration with FortiEDR 47 Views
Labels
-
FortiGate
6,637 -
FortiClient
1,323 -
5.2
801 -
5.4
639 -
FortiManager
573 -
FortiAnalyzer
418 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
338 -
FortiClient EMS
270 -
6.2
251 -
FortiMail
250 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
154 -
6.4
128 -
FortiNAC
109 -
FortiGuard
105 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
72 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
29 -
Firewall policy
28 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.