I have a 100D running 5.4.8 with an HTTPS type virtual server VIP, and https://www.ssllabs.com/ssltest/analyze.html is marking the site in question as vulnerable to ROBOT (Return of Bleichenbacher's Oracle Threat) attack. The VIP settings are currently set as follows:
set ssl-mode full set ssl-dh-bits 2048 set ssl-algorithm high set ssl-server-algorithm client set ssl-pfs allow set ssl-min-version tls-1.0 set ssl-max-version tls-1.2 set ssl-server-min-version client set ssl-server-max-version client set ssl-send-empty-frags enable set ssl-client-fallback enable set ssl-client-renegotiation secure set ssl-client-session-state-type both set ssl-client-session-state-timeout 30 set ssl-client-session-state-max 1000 set ssl-server-session-state-type both set ssl-server-session-state-timeout 60 set ssl-server-session-state-max 100
Fortinet's official advisory is that FortiOS is not affected ( https://fortiguard.com/psirt/FG-IR-17-302%20 ) - is this a false positive on the part of SSLLabs, or is it true, and if yes, what can be done to mitigate it?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
did you open a ticket with support? in principle it seems RSA ciphers are vulnerable and those are offered with a normal virtual server.
mitigation is possible to selecting non RSA ciphers
config firewall vip edit "vsrv-name" … … set ssl-algorithm custom config ssl-cipher-suites edit 1 set cipher TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA next edit 2 set cipher TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256 next edit 3 set cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 next edit 4 set cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA next edit 5 set cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384 next edit 6 set cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 next edit 7 set cipher TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA next edit 8 set cipher TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 next edit 9 set cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 next edit 10 set cipher TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 next edit 11 set cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 next edit 12 set cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA next edit 13 set cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA next edit 14 set cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 next edit 15 set cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 next edit 16 set cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 next edit 17 set cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 next end ssl-client-renegotiation secure next end
gets you a A on ssl labs
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.