Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
netwrkr
New Contributor

SSL/TLS Full Inspection - permissible cipher suites

Same setup as my last post --

 

Fortigate running with full SSL/TLS inspection.

 

How do we limit the cipher suites the Fortigate accepts from the web servers it connects to? 

 

In the current, default configuration, the Fortigate accepts quite a few undesirable combinations including:

 

DES, RC4, SHA, MD5.

 

Why would a security product, produced in the last decade, EVER allow the likes of DES? 

 

How do you change what the Fortigate accepts to a much stronger cipher suite?

 

Thanks.

Tom

 

PS.  If you want to check it yourself, turn on full SSL inpsection and head to https://howsmyssl.com

 

 

2 Solutions
AndreaSoliva
Contributor III

Hi all

 

as I was reading this post I was quit confiused because the direction goes to "how to prevent the FGT to use some cipher to access som webservers which support none secure ciphers etc. ". Special the use of strong-crypto was confiusing me because this direction is completly false from my point of view. This means if you use strong-crypto it influence as the CLI is mentioning:

 

Enable to use strong encryption and only allow

strong ciphers (AES, 3DES) and digest (SHA1) for

HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is

supported by the following web browsers: Netscape

7.2, Netscape 8.0, Firefox, and Microsoft Internet

Explorer 7.0 (beta).

Note that Microsoft Internet Explorer 5.0 and 6.0 are

not supported in strong encryption.

 

This means this options is HTTPS/SSH "ADMIN" based nothing else. This can be also tested:

 

Use cipherscan to a admin interface HTTPS (https://github.com/jvehent/cipherscan)

 

# /opt/scripts/cipherscan 198.18.0.1:8443       custom openssl not executable, falling back to system one from /bin/openssl       .................................       Target: 198.18.0.1:8443             prio  ciphersuite                  protocols        pfs                      curves       1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2          ECDH,prime256v1,256bits  prime256v1       2     ECDHE-RSA-AES256-SHA384      TLSv1.2          ECDH,prime256v1,256bits  prime256v1       3     ECDHE-RSA-AES256-SHA         TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2          DH,1024bits              None       5     DHE-RSA-AES256-SHA256        TLSv1.2          DH,1024bits              None       6     DHE-RSA-AES256-SHA           TLSv1.1,TLSv1.2  DH,1024bits              None       7     DHE-RSA-CAMELLIA256-SHA      TLSv1.1,TLSv1.2  DH,1024bits              None       8     AES256-GCM-SHA384            TLSv1.2          None                     None       9     AES256-SHA256                TLSv1.2          None                     None       10    AES256-SHA                   TLSv1.1,TLSv1.2  None                     None       11    CAMELLIA256-SHA              TLSv1.1,TLSv1.2  None                     None       12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2          ECDH,prime256v1,256bits  prime256v1       13    ECDHE-RSA-AES128-SHA256      TLSv1.2          ECDH,prime256v1,256bits  prime256v1       14    ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2          DH,1024bits              None       16    DHE-RSA-AES128-SHA256        TLSv1.2          DH,1024bits              None       17    DHE-RSA-AES128-SHA           TLSv1.1,TLSv1.2  DH,1024bits              None       18    ECDHE-RSA-DES-CBC3-SHA       TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       19    DHE-RSA-SEED-SHA             TLSv1.1,TLSv1.2  DH,1024bits              None       20    DHE-RSA-CAMELLIA128-SHA      TLSv1.1,TLSv1.2  DH,1024bits              None       21    EDH-RSA-DES-CBC3-SHA         TLSv1.1,TLSv1.2  DH,1024bits              None       22    AES128-GCM-SHA256            TLSv1.2          None                     None       23    AES128-SHA256                TLSv1.2          None                     None       24    AES128-SHA                   TLSv1.1,TLSv1.2  None                     None       25    SEED-SHA                     TLSv1.1,TLSv1.2  None                     None       26    CAMELLIA128-SHA              TLSv1.1,TLSv1.2  None                     None       27    DES-CBC3-SHA                 TLSv1.1,TLSv1.2  None                     None       28    ECDHE-RSA-RC4-SHA            TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       29    RC4-SHA                      TLSv1.1,TLSv1.2  None                     None       30    RC4-MD5                      TLSv1.1,TLSv1.2  None                     None       31    EDH-RSA-DES-CBC-SHA          TLSv1.1,TLSv1.2  DH,1024bits              None       32    DES-CBC-SHA                  TLSv1.1,TLSv1.2  None                     None             Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature       TLS ticket lifetime hint: 300       OCSP stapling: not supported       Cipher ordering: client

 

Allow only TLS 1.2:

 

       # config system global        # set admin-https-ssl-versions tlsv1-2        # end

 

Check again the config:

 

# /opt/scripts/cipherscan 198.18.0.1:8443        custom openssl not executable, falling back to system one from /bin/openssl        .................................        Target: 198.18.0.1:8443               prio  ciphersuite                  protocols  pfs                      curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        3     ECDHE-RSA-AES256-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2    DH,1024bits              None        5     DHE-RSA-AES256-SHA256        TLSv1.2    DH,1024bits              None        6     DHE-RSA-AES256-SHA           TLSv1.2    DH,1024bits              None        7     DHE-RSA-CAMELLIA256-SHA      TLSv1.2    DH,1024bits              None        8     AES256-GCM-SHA384            TLSv1.2    None                     None        9     AES256-SHA256                TLSv1.2    None                     None        10    AES256-SHA                   TLSv1.2    None                     None        11    CAMELLIA256-SHA              TLSv1.2    None                     None        12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        13    ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        14    ECDHE-RSA-AES128-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2    DH,1024bits              None        16    DHE-RSA-AES128-SHA256        TLSv1.2    DH,1024bits              None        17    DHE-RSA-AES128-SHA           TLSv1.2    DH,1024bits              None        18    ECDHE-RSA-DES-CBC3-SHA       TLSv1.2    ECDH,prime256v1,256bits  prime256v1        19    DHE-RSA-SEED-SHA             TLSv1.2    DH,1024bits              None        20    DHE-RSA-CAMELLIA128-SHA      TLSv1.2    DH,1024bits              None        21    EDH-RSA-DES-CBC3-SHA         TLSv1.2    DH,1024bits              None        22    AES128-GCM-SHA256            TLSv1.2    None                     None        23    AES128-SHA256                TLSv1.2    None                     None        24    AES128-SHA                   TLSv1.2    None                     None        25    SEED-SHA                     TLSv1.2    None                     None        26    CAMELLIA128-SHA              TLSv1.2    None                     None        27    DES-CBC3-SHA                 TLSv1.2    None                     None        28    ECDHE-RSA-RC4-SHA            TLSv1.2    ECDH,prime256v1,256bits  prime256v1        29    RC4-SHA                      TLSv1.2    None                     None        30    RC4-MD5                      TLSv1.2    None                     None        31    EDH-RSA-DES-CBC-SHA          TLSv1.2    DH,1024bits              None        32    DES-CBC-SHA                  TLSv1.2    None                     None               Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: client

 

Check if unsecure ciphers are supported even above is shown :)

 

# openssl s_client -connect 198.18.0.1:8443 -cipher "DES"        CONNECTED(00000003)        depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com        verify error:num=19:self signed certificate in certificate chain        verify return:0        ---        Certificate chain         0 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiGate/CN=FG300C3913601712/emailAddress=support@fortinet.com           i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com         1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com           i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com        ---        Server certificate        -----BEGIN CERTIFICATE-----        MIIDRTCCAi2gAwIBAgIDC9W6MA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV        UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD        VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw        DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0        LmNvbTAeFw0xMzAzMDUwMjAyMzFaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG        EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw        DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG        RzMwMEMzOTEzNjAxNzEyMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0        LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvbxgu84VKi3SL78ZpAdB        5yaqOQfNf44KFwxFAqk94D8vjcNi0i0igSVdNZD80hRJUqbkVprgAaOPG4BvnadN        2LIB0S1ajvjJfOctdfstpiVYRU2W3i5sjqkoRLyn1Vy0olZ3MVQMZUP0saPqQPnF        vrBSwDJ/CJ31mMMyyIP+JncCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0B        AQUFAAOCAQEANb9WMN1Tedd+qvQuYvtjCJm5XEgWuQNG3LfSsHFU7ZB2Sjybj39/        cfzHZuFdUtib6QPO1AuOvWyXZwIK8bcx6eFxoq7Ox6rTJVgJkw9XxoUbC2s2Du/o        CtfPNc5cJJ/Xjlmufr3mNUT+26kG1RG1E8+QViTsRzwT/L9+SIX4KDvqUaZI+gqj        6VSgVD2EkUK2OtHS1CvtFsCbVpwBTmcKErjPcnUl1RyvWoBtMLDbHOc09r/joJoS        ruKoDlXKinkPMDeuazIR3JFYj40V3+OXXlSoc1H1DuXKKyZsZXFp9gKfoQXAllkO        qlBsAiyXAsieWQsQoiAyyAyNpp8zGgIKxA==        -----END CERTIFICATE-----        subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiGate/CN=FG300C3913601712/emailAddress=support@fortinet.com        issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com        ---        No client certificate CA names sent        Server Temp Key: DH, 1024 bits        ---        SSL handshake has read 2394 bytes and written 271 bytes        ---        New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC-SHA        Server public key is 1024 bit        Secure Renegotiation IS supported        Compression: NONE        Expansion: NONE        SSL-Session:            Protocol  : TLSv1.2            Cipher    : EDH-RSA-DES-CBC-SHA            Session-ID: F4B05A8E17FE406186242860D92EC90B9FF09EE731FE2C9DC3CE3B0EB57D50DC            Session-ID-ctx:            Master-Key: 36EDD661CE7E6688395FF8FF1F76349A1E7054F62EE4D55590A24BB1C15B6FDF9EC3B3B92A7ECF3731424F4F5D9C3626            Key-Arg   : None            Krb5 Principal: None            PSK identity: None            PSK identity hint: None            Start Time: 1435042817            Timeout   : 300 (sec)            Verify return code: 19 (self signed certificate in certificate chain)        ---

 

Followin ciphers should be prevented to be used:

 

 aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

 

To prevent enable strong-crypto:

 

       # config system global        # set strong-crypto enable        # end

 

 

Check config if config was successful:

 

       # /opt/scripts/cipherscan 198.18.0.1:8443        custom openssl not executable, falling back to system one from /bin/openssl        ................        Target: 198.18.0.1:8443               prio  ciphersuite                  protocols  pfs                      curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        3     ECDHE-RSA-AES256-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        4     DHE-RSA-AES256-SHA256        TLSv1.2    DH,1024bits              None        5     DHE-RSA-AES256-SHA           TLSv1.2    DH,1024bits              None        6     AES256-SHA256                TLSv1.2    None                     None        7     AES256-SHA                   TLSv1.2    None                     None        8     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        9     ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        10    ECDHE-RSA-AES128-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        11    DHE-RSA-AES128-GCM-SHA256    TLSv1.2    DH,1024bits              None        12    DHE-RSA-AES128-SHA256        TLSv1.2    DH,1024bits              None        13    DHE-RSA-AES128-SHA           TLSv1.2    DH,1024bits              None        14    AES128-SHA256                TLSv1.2    None                     None        15    AES128-SHA                   TLSv1.2    None                     None               Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: client

 

Check if as example DES is supported:

 

       # openssl s_client -connect 198.18.0.1:8443 -cipher "DES"        CONNECTED(00000003)        140357317728160:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:        ---        no peer certificate available        ---        No client certificate CA names sent        ---        SSL handshake has read 7 bytes and written 73 bytes        ---        New, (NONE), Cipher is (NONE)        Secure Renegotiation IS NOT supported        Compression: NONE        Expansion: NONE

 

Check all at once RC4 if unsecure are supported:

 

#  for i in `openssl ciphers -v 'RC4' | awk '{print $1}'`; do echo -ne "$i\t" ;   echo |  openssl s_client -connect [FQDN des Hosts oder IPv4]:443 -cipher "$i" 2>&1 | grep New; done             ECDHE-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDHE-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             AECDH-RC4-SHA New, (NONE), Cipher is (NONE)             ADH-RC4-MD5 New, (NONE), Cipher is (NONE)             ECDH-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDH-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             RC4-SHA New, (NONE), Cipher is (NONE)             RC4-MD5 New, (NONE), Cipher is (NONE)

 

 

If you want you can use the same for SSL-VPN which means:

 

Default is:

       sslv2               : disable        sslv3               : enable        tlsv1-0             : enable        tlsv1-1             : enable        tlsv1-2             : enable        algorithm           : default

 

Default uses following:

 

       # /opt/scripts/cipherscan 198.18.0.1:443            custom openssl not executable, falling back to system one from /bin/openssl        ...............................        Target: 198.18.0.1:443               prio  ciphersuite                  protocols                    pfs                      curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        3     ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                      DH,1024bits              None        5     DHE-RSA-AES256-SHA256        TLSv1.2                      DH,1024bits              None        6     DHE-RSA-AES256-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        7     DHE-RSA-CAMELLIA256-SHA      SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        8     AES256-GCM-SHA384            TLSv1.2                      None                     None        9     AES256-SHA256                TLSv1.2                      None                     None        10    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        11    CAMELLIA256-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        13    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        14    ECDHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                      DH,1024bits              None        16    DHE-RSA-AES128-SHA256        TLSv1.2                      DH,1024bits              None        17    DHE-RSA-AES128-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        18    DHE-RSA-CAMELLIA128-SHA      SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        19    AES128-GCM-SHA256            TLSv1.2                      None                     None        20    AES128-SHA256                TLSv1.2                      None                     None        21    AES128-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        22    CAMELLIA128-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        23    DHE-RSA-SEED-SHA             SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        24    SEED-SHA                     SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        25    ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        26    RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        27    RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        28    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        29    EDH-RSA-DES-CBC3-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        30    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None              Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: server

 

Disable everything except TLS 1.2 as go to high algorithm:

 

       # config vpn ssl settings        # set tlsv1-0 disable        # set tlsv1-1 disable        # set sslv3 disable        # set algorithm high        # end

 

Check again the config:

 

       # /opt/scripts/cipherscan 198.18.0.1:443        custom openssl not executable, falling back to system one from /bin/openssl        ..........................        Target: 198.18.0.1:443               prio  ciphersuite                  protocols  pfs                     curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,secp384r1,384bits  secp384r1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,secp384r1,384bits  secp384r1        3     ECDHE-RSA-AES256-SHA         TLSv1.2    ECDH,secp384r1,384bits  secp384r1        4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2    DH,1024bits             None        5     DHE-RSA-AES256-SHA256        TLSv1.2    DH,1024bits             None        6     DHE-RSA-AES256-SHA           TLSv1.2    DH,1024bits             None        7     DHE-RSA-CAMELLIA256-SHA      TLSv1.2    DH,1024bits             None        8     AES256-GCM-SHA384            TLSv1.2    None                    None        9     AES256-SHA256                TLSv1.2    None                    None        10    AES256-SHA                   TLSv1.2    None                    None        11    CAMELLIA256-SHA              TLSv1.2    None                    None        12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,secp384r1,384bits  secp384r1        13    ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,secp384r1,384bits  secp384r1        14    ECDHE-RSA-AES128-SHA         TLSv1.2    ECDH,secp384r1,384bits  secp384r1        15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2    DH,1024bits             None        16    DHE-RSA-AES128-SHA256        TLSv1.2    DH,1024bits             None        17    DHE-RSA-AES128-SHA           TLSv1.2    DH,1024bits             None        18    DHE-RSA-CAMELLIA128-SHA      TLSv1.2    DH,1024bits             None        19    AES128-GCM-SHA256            TLSv1.2    None                    None        20    AES128-SHA256                TLSv1.2    None                    None        21    AES128-SHA                   TLSv1.2    None                    None        22    CAMELLIA128-SHA              TLSv1.2    None                    None        23    ECDHE-RSA-DES-CBC3-SHA       TLSv1.2    ECDH,secp384r1,384bits  secp384r1        24    EDH-RSA-DES-CBC3-SHA         TLSv1.2    DH,1024bits             None        25    DES-CBC3-SHA                 TLSv1.2    None                    None               Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: server

 

Use for more security not 1024 bit DH increase to higher value:

 

            # config firewall ssl settings             # set ssl-dh-bits [1024 | 1536 | 2048 | 768]             # end

 

Check if unsecure cipher are still supported:

 

       # openssl s_client -connect 198.18.0.1:443 -cipher "RC4"        CONNECTED(00000003)        140687385839520:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:        ---        no peer certificate available        ---        No client certificate CA names sent        ---        SSL handshake has read 7 bytes and written 73 bytes        ---        New, (NONE), Cipher is (NONE)        Secure Renegotiation IS NOT supported        Compression: NONE        Expansion: NONE        ---

 

Check at once if RC4 is supported:

 

            #  for i in `openssl ciphers -v 'RC4' | awk '{print $1}'`; do echo -ne "$i\t" ;   echo |  openssl s_client -connect [FQDN des Hosts oder IPv4]:443 -cipher "$i" 2>&1 | grep New; done             ECDHE-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDHE-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             AECDH-RC4-SHA New, (NONE), Cipher is (NONE)             ADH-RC4-MD5 New, (NONE), Cipher is (NONE)             ECDH-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDH-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             RC4-SHA New, (NONE), Cipher is (NONE)             RC4-MD5 New, (NONE), Cipher is (NONE)

 

From my point of view there is no configuration which tells the FortiGate in deep-inspection to not use some ciphers etc. This is from my point of view a config which you can full file over the Browser which means deactivating unter option TLS SSL etc. If a webserver is correct configured a fallback to a lower cipher should be not allow. Anyway as more as you increase the security with as an example TLS 1.2 only as with only some ciphers on a Server as more as you will have compatibility issues even it would be from security point of view correct.

 

Finally the option discussed here strong-crypto has nothing to do with the cipers or TLS SSL version the FortiGate uses to access a webserver etc. using deep-inspection. This options influence as the CLI documents the HTTPS SSH Admin access only.

 

hope this helps

 

have fun

 

Andrea

View solution in original post

emnoc
Esteemed Contributor III

Very good points & observations

 

Keep in mind, the  ciphers offered by the webserver is going to be the factor on what's selected and used.There's nothing you can do, that can steer or bypass that (except with a true proxy that conducts ssl inspections ....read more )

 

I don't think the  fortigate is going to stop a client that proxy thru from establishment to a web-site with a small-keys or weak ciphers. A true dedicate  forward proxy ( i.e cisco,  bluecoat , optenet, etc...) & that have SSL/TLS  security features is what's required. I think this is where the OP was hinting at & within these latest posts. The fortigate which is good, is not as secured or security cautious as a full on 3rd party proxy solution , who  has better SSL/TLS inspection and controls.

 

The FGT "SSL inspections" just checks basic security checks which are no or more less than your typical browser. Example a explict proxy might allow you to access a site with expired cert or revoke cert or sslv2 or be effected by sslv3 and poodle vulnerabilities.

 

You will need a proxy that has security feature that inspect and restrict the client from  using  ssl3 just for example, I don't think this is possible within the fortigate ( somebody can correct me if I'm wrong ). Poster networker has brought up 2 posts that should be on the minds of all that uses "just" a  fortigate and with attempts at security enforcement from a web-client.

 

Btw, I like that cipherscan script for cipher testing ;)

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
11 REPLIES 11
Morten_Marstrander
New Contributor

Hi,

 

I tested this with SSL-deep-inspection behind a Fortigate 1500D running 5.2.3, and I don't get the insecure ciphers you mentioned. See attached screenshot.

NSE 4

NSE 4
hohosecure
New Contributor III

Morten_Marstrander
New Contributor

@HoHo

I suspect that is why we get different results. I have strong-crypto set to enable, and TC does not.

Thanks for clearing that up :)

NSE 4

NSE 4
netwrkr
New Contributor

hrmmm.....I too have strong-crypto enabled and see different results on the https://howsmyssl.com website.  Let me check the browser settings and report back.

netwrkr

I'm stumped.

 

1.  strong-crypto is enabled (has been since we deployed)

 

2.  I disabled every cipher suite in Firefox except the ECDHE-AES128|AES256 ones and the howsmyssl.com site still shows multiple weak cipher suites including DES, 3DES and RC4.

3.  I also checked using the ssllabs.com website.  The results were the same as was reported by howsmyssl.com.

 

To confirm similar configurations my deep inspection profile is as follows



config firewall ssl-ssh-profile
    edit "tls-mitm"
            config ssl
                set inspect-all deep-inspection
                set ssl-ca-list enable
            end
            config https
                set ssl-ca-list enable
            end
            config ftps
            end
            config imaps
            end
            config pop3s
            end
            config smtps
            end
            config ssh
                set ports 22
            end
        set caname "my.ca CA"
        set ssl-invalid-server-cert-log enable
    next
end

emnoc
Esteemed Contributor III

A good Qs and see my last reply to the lock  scenario  in your OCSP thread.

 

I think if you need  proper proetction for a web-browser you need to install a 3rd party and MiTM proxy.

 

ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
AndreaSoliva
Contributor III

Hi all

 

as I was reading this post I was quit confiused because the direction goes to "how to prevent the FGT to use some cipher to access som webservers which support none secure ciphers etc. ". Special the use of strong-crypto was confiusing me because this direction is completly false from my point of view. This means if you use strong-crypto it influence as the CLI is mentioning:

 

Enable to use strong encryption and only allow

strong ciphers (AES, 3DES) and digest (SHA1) for

HTTPS/SSH admin access.

When strong encryption is enabled, HTTPS is

supported by the following web browsers: Netscape

7.2, Netscape 8.0, Firefox, and Microsoft Internet

Explorer 7.0 (beta).

Note that Microsoft Internet Explorer 5.0 and 6.0 are

not supported in strong encryption.

 

This means this options is HTTPS/SSH "ADMIN" based nothing else. This can be also tested:

 

Use cipherscan to a admin interface HTTPS (https://github.com/jvehent/cipherscan)

 

# /opt/scripts/cipherscan 198.18.0.1:8443       custom openssl not executable, falling back to system one from /bin/openssl       .................................       Target: 198.18.0.1:8443             prio  ciphersuite                  protocols        pfs                      curves       1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2          ECDH,prime256v1,256bits  prime256v1       2     ECDHE-RSA-AES256-SHA384      TLSv1.2          ECDH,prime256v1,256bits  prime256v1       3     ECDHE-RSA-AES256-SHA         TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2          DH,1024bits              None       5     DHE-RSA-AES256-SHA256        TLSv1.2          DH,1024bits              None       6     DHE-RSA-AES256-SHA           TLSv1.1,TLSv1.2  DH,1024bits              None       7     DHE-RSA-CAMELLIA256-SHA      TLSv1.1,TLSv1.2  DH,1024bits              None       8     AES256-GCM-SHA384            TLSv1.2          None                     None       9     AES256-SHA256                TLSv1.2          None                     None       10    AES256-SHA                   TLSv1.1,TLSv1.2  None                     None       11    CAMELLIA256-SHA              TLSv1.1,TLSv1.2  None                     None       12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2          ECDH,prime256v1,256bits  prime256v1       13    ECDHE-RSA-AES128-SHA256      TLSv1.2          ECDH,prime256v1,256bits  prime256v1       14    ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2          DH,1024bits              None       16    DHE-RSA-AES128-SHA256        TLSv1.2          DH,1024bits              None       17    DHE-RSA-AES128-SHA           TLSv1.1,TLSv1.2  DH,1024bits              None       18    ECDHE-RSA-DES-CBC3-SHA       TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       19    DHE-RSA-SEED-SHA             TLSv1.1,TLSv1.2  DH,1024bits              None       20    DHE-RSA-CAMELLIA128-SHA      TLSv1.1,TLSv1.2  DH,1024bits              None       21    EDH-RSA-DES-CBC3-SHA         TLSv1.1,TLSv1.2  DH,1024bits              None       22    AES128-GCM-SHA256            TLSv1.2          None                     None       23    AES128-SHA256                TLSv1.2          None                     None       24    AES128-SHA                   TLSv1.1,TLSv1.2  None                     None       25    SEED-SHA                     TLSv1.1,TLSv1.2  None                     None       26    CAMELLIA128-SHA              TLSv1.1,TLSv1.2  None                     None       27    DES-CBC3-SHA                 TLSv1.1,TLSv1.2  None                     None       28    ECDHE-RSA-RC4-SHA            TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1       29    RC4-SHA                      TLSv1.1,TLSv1.2  None                     None       30    RC4-MD5                      TLSv1.1,TLSv1.2  None                     None       31    EDH-RSA-DES-CBC-SHA          TLSv1.1,TLSv1.2  DH,1024bits              None       32    DES-CBC-SHA                  TLSv1.1,TLSv1.2  None                     None             Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature       TLS ticket lifetime hint: 300       OCSP stapling: not supported       Cipher ordering: client

 

Allow only TLS 1.2:

 

       # config system global        # set admin-https-ssl-versions tlsv1-2        # end

 

Check again the config:

 

# /opt/scripts/cipherscan 198.18.0.1:8443        custom openssl not executable, falling back to system one from /bin/openssl        .................................        Target: 198.18.0.1:8443               prio  ciphersuite                  protocols  pfs                      curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        3     ECDHE-RSA-AES256-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2    DH,1024bits              None        5     DHE-RSA-AES256-SHA256        TLSv1.2    DH,1024bits              None        6     DHE-RSA-AES256-SHA           TLSv1.2    DH,1024bits              None        7     DHE-RSA-CAMELLIA256-SHA      TLSv1.2    DH,1024bits              None        8     AES256-GCM-SHA384            TLSv1.2    None                     None        9     AES256-SHA256                TLSv1.2    None                     None        10    AES256-SHA                   TLSv1.2    None                     None        11    CAMELLIA256-SHA              TLSv1.2    None                     None        12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        13    ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        14    ECDHE-RSA-AES128-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2    DH,1024bits              None        16    DHE-RSA-AES128-SHA256        TLSv1.2    DH,1024bits              None        17    DHE-RSA-AES128-SHA           TLSv1.2    DH,1024bits              None        18    ECDHE-RSA-DES-CBC3-SHA       TLSv1.2    ECDH,prime256v1,256bits  prime256v1        19    DHE-RSA-SEED-SHA             TLSv1.2    DH,1024bits              None        20    DHE-RSA-CAMELLIA128-SHA      TLSv1.2    DH,1024bits              None        21    EDH-RSA-DES-CBC3-SHA         TLSv1.2    DH,1024bits              None        22    AES128-GCM-SHA256            TLSv1.2    None                     None        23    AES128-SHA256                TLSv1.2    None                     None        24    AES128-SHA                   TLSv1.2    None                     None        25    SEED-SHA                     TLSv1.2    None                     None        26    CAMELLIA128-SHA              TLSv1.2    None                     None        27    DES-CBC3-SHA                 TLSv1.2    None                     None        28    ECDHE-RSA-RC4-SHA            TLSv1.2    ECDH,prime256v1,256bits  prime256v1        29    RC4-SHA                      TLSv1.2    None                     None        30    RC4-MD5                      TLSv1.2    None                     None        31    EDH-RSA-DES-CBC-SHA          TLSv1.2    DH,1024bits              None        32    DES-CBC-SHA                  TLSv1.2    None                     None               Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: client

 

Check if unsecure ciphers are supported even above is shown :)

 

# openssl s_client -connect 198.18.0.1:8443 -cipher "DES"        CONNECTED(00000003)        depth=1 C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = support, emailAddress = support@fortinet.com        verify error:num=19:self signed certificate in certificate chain        verify return:0        ---        Certificate chain         0 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiGate/CN=FG300C3913601712/emailAddress=support@fortinet.com           i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com         1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com           i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com        ---        Server certificate        -----BEGIN CERTIFICATE-----        MIIDRTCCAi2gAwIBAgIDC9W6MA0GCSqGSIb3DQEBBQUAMIGgMQswCQYDVQQGEwJV        UzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYD        VQQKEwhGb3J0aW5ldDEeMBwGA1UECxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRAw        DgYDVQQDEwdzdXBwb3J0MSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0        LmNvbTAeFw0xMzAzMDUwMjAyMzFaFw0zODAxMTkwMzE0MDdaMIGdMQswCQYDVQQG        EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJU3Vubnl2YWxlMREw        DwYDVQQKEwhGb3J0aW5ldDESMBAGA1UECxMJRm9ydGlHYXRlMRkwFwYDVQQDExBG        RzMwMEMzOTEzNjAxNzEyMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGZvcnRpbmV0        LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvbxgu84VKi3SL78ZpAdB        5yaqOQfNf44KFwxFAqk94D8vjcNi0i0igSVdNZD80hRJUqbkVprgAaOPG4BvnadN        2LIB0S1ajvjJfOctdfstpiVYRU2W3i5sjqkoRLyn1Vy0olZ3MVQMZUP0saPqQPnF        vrBSwDJ/CJ31mMMyyIP+JncCAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0B        AQUFAAOCAQEANb9WMN1Tedd+qvQuYvtjCJm5XEgWuQNG3LfSsHFU7ZB2Sjybj39/        cfzHZuFdUtib6QPO1AuOvWyXZwIK8bcx6eFxoq7Ox6rTJVgJkw9XxoUbC2s2Du/o        CtfPNc5cJJ/Xjlmufr3mNUT+26kG1RG1E8+QViTsRzwT/L9+SIX4KDvqUaZI+gqj        6VSgVD2EkUK2OtHS1CvtFsCbVpwBTmcKErjPcnUl1RyvWoBtMLDbHOc09r/joJoS        ruKoDlXKinkPMDeuazIR3JFYj40V3+OXXlSoc1H1DuXKKyZsZXFp9gKfoQXAllkO        qlBsAiyXAsieWQsQoiAyyAyNpp8zGgIKxA==        -----END CERTIFICATE-----        subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=FortiGate/CN=FG300C3913601712/emailAddress=support@fortinet.com        issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com        ---        No client certificate CA names sent        Server Temp Key: DH, 1024 bits        ---        SSL handshake has read 2394 bytes and written 271 bytes        ---        New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC-SHA        Server public key is 1024 bit        Secure Renegotiation IS supported        Compression: NONE        Expansion: NONE        SSL-Session:            Protocol  : TLSv1.2            Cipher    : EDH-RSA-DES-CBC-SHA            Session-ID: F4B05A8E17FE406186242860D92EC90B9FF09EE731FE2C9DC3CE3B0EB57D50DC            Session-ID-ctx:            Master-Key: 36EDD661CE7E6688395FF8FF1F76349A1E7054F62EE4D55590A24BB1C15B6FDF9EC3B3B92A7ECF3731424F4F5D9C3626            Key-Arg   : None            Krb5 Principal: None            PSK identity: None            PSK identity hint: None            Start Time: 1435042817            Timeout   : 300 (sec)            Verify return code: 19 (self signed certificate in certificate chain)        ---

 

Followin ciphers should be prevented to be used:

 

 aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

 

To prevent enable strong-crypto:

 

       # config system global        # set strong-crypto enable        # end

 

 

Check config if config was successful:

 

       # /opt/scripts/cipherscan 198.18.0.1:8443        custom openssl not executable, falling back to system one from /bin/openssl        ................        Target: 198.18.0.1:8443               prio  ciphersuite                  protocols  pfs                      curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        3     ECDHE-RSA-AES256-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        4     DHE-RSA-AES256-SHA256        TLSv1.2    DH,1024bits              None        5     DHE-RSA-AES256-SHA           TLSv1.2    DH,1024bits              None        6     AES256-SHA256                TLSv1.2    None                     None        7     AES256-SHA                   TLSv1.2    None                     None        8     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,prime256v1,256bits  prime256v1        9     ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,prime256v1,256bits  prime256v1        10    ECDHE-RSA-AES128-SHA         TLSv1.2    ECDH,prime256v1,256bits  prime256v1        11    DHE-RSA-AES128-GCM-SHA256    TLSv1.2    DH,1024bits              None        12    DHE-RSA-AES128-SHA256        TLSv1.2    DH,1024bits              None        13    DHE-RSA-AES128-SHA           TLSv1.2    DH,1024bits              None        14    AES128-SHA256                TLSv1.2    None                     None        15    AES128-SHA                   TLSv1.2    None                     None               Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: client

 

Check if as example DES is supported:

 

       # openssl s_client -connect 198.18.0.1:8443 -cipher "DES"        CONNECTED(00000003)        140357317728160:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:        ---        no peer certificate available        ---        No client certificate CA names sent        ---        SSL handshake has read 7 bytes and written 73 bytes        ---        New, (NONE), Cipher is (NONE)        Secure Renegotiation IS NOT supported        Compression: NONE        Expansion: NONE

 

Check all at once RC4 if unsecure are supported:

 

#  for i in `openssl ciphers -v 'RC4' | awk '{print $1}'`; do echo -ne "$i\t" ;   echo |  openssl s_client -connect [FQDN des Hosts oder IPv4]:443 -cipher "$i" 2>&1 | grep New; done             ECDHE-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDHE-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             AECDH-RC4-SHA New, (NONE), Cipher is (NONE)             ADH-RC4-MD5 New, (NONE), Cipher is (NONE)             ECDH-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDH-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             RC4-SHA New, (NONE), Cipher is (NONE)             RC4-MD5 New, (NONE), Cipher is (NONE)

 

 

If you want you can use the same for SSL-VPN which means:

 

Default is:

       sslv2               : disable        sslv3               : enable        tlsv1-0             : enable        tlsv1-1             : enable        tlsv1-2             : enable        algorithm           : default

 

Default uses following:

 

       # /opt/scripts/cipherscan 198.18.0.1:443            custom openssl not executable, falling back to system one from /bin/openssl        ...............................        Target: 198.18.0.1:443               prio  ciphersuite                  protocols                    pfs                      curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        3     ECDHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                      DH,1024bits              None        5     DHE-RSA-AES256-SHA256        TLSv1.2                      DH,1024bits              None        6     DHE-RSA-AES256-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        7     DHE-RSA-CAMELLIA256-SHA      SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        8     AES256-GCM-SHA384            TLSv1.2                      None                     None        9     AES256-SHA256                TLSv1.2                      None                     None        10    AES256-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        11    CAMELLIA256-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        13    ECDHE-RSA-AES128-SHA256      TLSv1.2                      ECDH,prime256v1,256bits  prime256v1        14    ECDHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                      DH,1024bits              None        16    DHE-RSA-AES128-SHA256        TLSv1.2                      DH,1024bits              None        17    DHE-RSA-AES128-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        18    DHE-RSA-CAMELLIA128-SHA      SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        19    AES128-GCM-SHA256            TLSv1.2                      None                     None        20    AES128-SHA256                TLSv1.2                      None                     None        21    AES128-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        22    CAMELLIA128-SHA              SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        23    DHE-RSA-SEED-SHA             SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        24    SEED-SHA                     SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        25    ECDHE-RSA-RC4-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        26    RC4-SHA                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        27    RC4-MD5                      SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None        28    ECDHE-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  ECDH,prime256v1,256bits  prime256v1        29    EDH-RSA-DES-CBC3-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits              None        30    DES-CBC3-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None                     None              Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: server

 

Disable everything except TLS 1.2 as go to high algorithm:

 

       # config vpn ssl settings        # set tlsv1-0 disable        # set tlsv1-1 disable        # set sslv3 disable        # set algorithm high        # end

 

Check again the config:

 

       # /opt/scripts/cipherscan 198.18.0.1:443        custom openssl not executable, falling back to system one from /bin/openssl        ..........................        Target: 198.18.0.1:443               prio  ciphersuite                  protocols  pfs                     curves        1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2    ECDH,secp384r1,384bits  secp384r1        2     ECDHE-RSA-AES256-SHA384      TLSv1.2    ECDH,secp384r1,384bits  secp384r1        3     ECDHE-RSA-AES256-SHA         TLSv1.2    ECDH,secp384r1,384bits  secp384r1        4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2    DH,1024bits             None        5     DHE-RSA-AES256-SHA256        TLSv1.2    DH,1024bits             None        6     DHE-RSA-AES256-SHA           TLSv1.2    DH,1024bits             None        7     DHE-RSA-CAMELLIA256-SHA      TLSv1.2    DH,1024bits             None        8     AES256-GCM-SHA384            TLSv1.2    None                    None        9     AES256-SHA256                TLSv1.2    None                    None        10    AES256-SHA                   TLSv1.2    None                    None        11    CAMELLIA256-SHA              TLSv1.2    None                    None        12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2    ECDH,secp384r1,384bits  secp384r1        13    ECDHE-RSA-AES128-SHA256      TLSv1.2    ECDH,secp384r1,384bits  secp384r1        14    ECDHE-RSA-AES128-SHA         TLSv1.2    ECDH,secp384r1,384bits  secp384r1        15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2    DH,1024bits             None        16    DHE-RSA-AES128-SHA256        TLSv1.2    DH,1024bits             None        17    DHE-RSA-AES128-SHA           TLSv1.2    DH,1024bits             None        18    DHE-RSA-CAMELLIA128-SHA      TLSv1.2    DH,1024bits             None        19    AES128-GCM-SHA256            TLSv1.2    None                    None        20    AES128-SHA256                TLSv1.2    None                    None        21    AES128-SHA                   TLSv1.2    None                    None        22    CAMELLIA128-SHA              TLSv1.2    None                    None        23    ECDHE-RSA-DES-CBC3-SHA       TLSv1.2    ECDH,secp384r1,384bits  secp384r1        24    EDH-RSA-DES-CBC3-SHA         TLSv1.2    DH,1024bits             None        25    DES-CBC3-SHA                 TLSv1.2    None                    None               Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature        TLS ticket lifetime hint: 300        OCSP stapling: not supported        Cipher ordering: server

 

Use for more security not 1024 bit DH increase to higher value:

 

            # config firewall ssl settings             # set ssl-dh-bits [1024 | 1536 | 2048 | 768]             # end

 

Check if unsecure cipher are still supported:

 

       # openssl s_client -connect 198.18.0.1:443 -cipher "RC4"        CONNECTED(00000003)        140687385839520:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:        ---        no peer certificate available        ---        No client certificate CA names sent        ---        SSL handshake has read 7 bytes and written 73 bytes        ---        New, (NONE), Cipher is (NONE)        Secure Renegotiation IS NOT supported        Compression: NONE        Expansion: NONE        ---

 

Check at once if RC4 is supported:

 

            #  for i in `openssl ciphers -v 'RC4' | awk '{print $1}'`; do echo -ne "$i\t" ;   echo |  openssl s_client -connect [FQDN des Hosts oder IPv4]:443 -cipher "$i" 2>&1 | grep New; done             ECDHE-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDHE-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             AECDH-RC4-SHA New, (NONE), Cipher is (NONE)             ADH-RC4-MD5 New, (NONE), Cipher is (NONE)             ECDH-RSA-RC4-SHA New, (NONE), Cipher is (NONE)             ECDH-ECDSA-RC4-SHA New, (NONE), Cipher is (NONE)             RC4-SHA New, (NONE), Cipher is (NONE)             RC4-MD5 New, (NONE), Cipher is (NONE)

 

From my point of view there is no configuration which tells the FortiGate in deep-inspection to not use some ciphers etc. This is from my point of view a config which you can full file over the Browser which means deactivating unter option TLS SSL etc. If a webserver is correct configured a fallback to a lower cipher should be not allow. Anyway as more as you increase the security with as an example TLS 1.2 only as with only some ciphers on a Server as more as you will have compatibility issues even it would be from security point of view correct.

 

Finally the option discussed here strong-crypto has nothing to do with the cipers or TLS SSL version the FortiGate uses to access a webserver etc. using deep-inspection. This options influence as the CLI documents the HTTPS SSH Admin access only.

 

hope this helps

 

have fun

 

Andrea

emnoc
Esteemed Contributor III

Very good points & observations

 

Keep in mind, the  ciphers offered by the webserver is going to be the factor on what's selected and used.There's nothing you can do, that can steer or bypass that (except with a true proxy that conducts ssl inspections ....read more )

 

I don't think the  fortigate is going to stop a client that proxy thru from establishment to a web-site with a small-keys or weak ciphers. A true dedicate  forward proxy ( i.e cisco,  bluecoat , optenet, etc...) & that have SSL/TLS  security features is what's required. I think this is where the OP was hinting at & within these latest posts. The fortigate which is good, is not as secured or security cautious as a full on 3rd party proxy solution , who  has better SSL/TLS inspection and controls.

 

The FGT "SSL inspections" just checks basic security checks which are no or more less than your typical browser. Example a explict proxy might allow you to access a site with expired cert or revoke cert or sslv2 or be effected by sslv3 and poodle vulnerabilities.

 

You will need a proxy that has security feature that inspect and restrict the client from  using  ssl3 just for example, I don't think this is possible within the fortigate ( somebody can correct me if I'm wrong ). Poster networker has brought up 2 posts that should be on the minds of all that uses "just" a  fortigate and with attempts at security enforcement from a web-client.

 

Btw, I like that cipherscan script for cipher testing ;)

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
netwrkr
New Contributor

The Palo Alto firewalls have the very features I'm looking for but the cost of them is sky high.

 

From the PAN 7.0 docs

 

## Destination web server key size

 

"By default, the firewall determines the key size to use for the client certificates it generates based on the key size of the destination server certificate. You can optionally set a static key size to use regardless of the key size of the destination server certificate."

 

## Allow the user to 'click-through' untrusted web server certificates

 

"If the server certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the server certificate and signs it with the Forward Untrust certificate and sends it to the client. In this case, the client sees a block page warning that the site they’re attempting to connect to is not trusted and the client can choose to proceed or terminate the session."

 

## Without going too far off course - this is another very nice feature the PA has (Fortinet folks - are you listening???)

 

"Enable Users to Opt Out of SSL Decryption In some cases, you may need to alert your users to the fact that certain web traffic is being decrypted and allow them to terminate sessions that they do not want inspected. With SSL Opt Out enabled, the first time a userattempts to browse to an HTTPS site or application that matches your decryption policy, the firewall will displaya response page that notifies the user that the session will be decrypted. Users can either allow decryption andcontinue to the page by clicking YES,or opt out of decryption and click No to terminate the session. Users who opt out of SSL decryption are not allowed to continue to the requested web page, or to any other HTTPS site they attempt to access during the next 24-hour period.     My point is, at least one other "NGFW" vendor offers the requisite SSL/TLS deep-inspection security features.  I can only hope Fortinet does the same in the near future.   Tom
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors