Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Salas
New Contributor

Turn off 3DES on SSL VPN

Recently my firewall was scaned by PCIDSS auditors, and they recommends to turn off 3DES in SSL VPN.

Is it possible to turn off it on 5.2.11 firmware ?

Is it safe to use 3DES in IPSEC VPN ?

 

8 REPLIES 8
Seppel
Contributor II

it's not possible to disable 3DES in SSL VPN on a fortigate running forti os prior to 5.4.

 

http://kb.fortinet.com/kb/documentLink.do?externalID=FD39819

 

if it's possible you should use AES in IPSEC VPN

 

regards,

Fortigate 500E HA Fortimail 200 Fortimanager

FortiEMS

FortiSandbox 1000D

FortiSwitch Network Some other Models in use :-) ---------------------------------------------------- FCSE ----------------------------------------------------

Fortigate 500E HA Fortimail 200 Fortimanager FortiEMS FortiSandbox 1000D FortiSwitch Network Some other Models in use :-) ---------------------------------------------------- FCSE ----------------------------------------------------
Salas
New Contributor

I hope this feature will be enabled in future 5.2 firmware versions.

I have some 60d firewalls, with 5.4 firmware, but 5.2 looks much better, and i don't want to upgrade my 600c firewall cluster to 5.4 or 5.6 firmware.

 

emnoc
Esteemed Contributor III

Yes it is doable in 5.2.11

 

config vpn ssl settings     set sslv3 disable     set algorithm high     set port 443 end

 

 

test with openssl

 

1: list the ciphers

 

openssl ciphers MEDIUM

openssl ciphers HIGH

 

Use the  3DES  ciphers in the s_client before and after the change

 

e.g

;

 

 openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-SHA1

 openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-MD5

 

and  so on

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FortiOSman
New Contributor III

emnoc wrote:

Yes it is doable in 5.2.11

 

config vpn ssl settings    set sslv3 disable    set algorithm high    set port 443 end

 

 

test with openssl

 

1: list the ciphers

 

openssl ciphers MEDIUM

openssl ciphers HIGH

 

Use the  3DES  ciphers in the s_client before and after the change

 

e.g

;

 

 openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-SHA1

 openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-MD5

 

and  so on

 

This did not work for me. I am still able to connect with:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, and 

TLS_RSA_WITH_3DES_EDE_CBC_SHA

emnoc
Esteemed Contributor III

Open a ticket with  support. I would disable all  SSLv3 and TLSv1-0 and 1-1  protocols and retest and enable high algorithims

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FortiOSman
New Contributor III

Thanks, Right now TLS 1.0 and 1.1 are still enabled. I'll try turning those off first and if that doesn't work open a ticket with Fortinet and report back. 

FortiOSman

I turned off TLS 1.0 and TLS 1.1 but that did not turn off the 3DES ciphers. Even the FortiOS™ Handbook - SSL VPN v5.2.12 states 3DES would still be be enabled. This does not look possible in 5.2. I will open a ticket to confirm. 

 

https://docs.fortinet.com...ortigate-sslvpn-52.pdf

high - Use a ciper suite grather than 128 bits; AES or 3DES

 

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, and  TLS_RSA_WITH_3DES_EDE_CBC_SHA

emnoc
Esteemed Contributor III

I'll test this later in FortiOSv6.0 , this why  you need to  stay up to date in firmware.  5.2.x is nowhere considered most current and new release would be  better and more secured. If your going thru any security audit, than the 1st thing looked at would be why are you  on 5.2.11 imho

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors