FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jheadley_FTNT
Description
This article shows how to use the open source program cURL to test connectivity to (or through) FortiGate using various cipher suites. This is useful when doing vulnerability assessments, and can confirm whether the FortiGate allows connections to be made using a specific version of the SSL/TLS protocol and chosen cipher suite.   

Scope
FortiGate HTTPS Management IP Address
FortiGate SSL VPN Portal IP Address
HTTPS Website Protected by FortiGate/FortiWeb

Solution
1) Download and install a pre-compiled version of cURL for your operating system. A popular version for Windows is called “cURL for Windows”.  Alternatively, you can compile cURL yourself.

2) Determine the IP address and port number to which a connection is to be made. This can be the IP and port number of the FortiGate management address, SSL VPN, or a server behind the FortiGate.

3) Determine the version of TLS/SSL to be tested, as well as what ciphers.

4) Test with cURL using the parameters determined above.

Example 1: Testing the FortiGate SSL VPN interface for SSLv3 (any cipher suite)


curl https://10.0.0.5:10443 -k -v --location-trusted --sslv3

[output removed]

alert handshake failure (connection is NOT accepted)

Example 2: Testing the FortiGate management interface for TLSv1.2 using the 3DES bulk cipher/encryption algorithm

curl https://10.0.0.1:443 -k -v --location-trusted --tlsv1.2 --ciphers 3DES

[output removed]

* Connection #0 to host 10.0.0.1 left intact (connection is accepted)

Example 3: Testing FortiGate SSLVPN for TLSv1.2 using the cipher suite AECDH-AES128-SHA

curl https:// 10.0.0.5:10443 -k -v --location-trusted --tlsv1.2 --ciphers AECDH-AES128-SHA

[output removed]

* Connection #0 to host 10.0.0.1 left intact (connection is accepted)

Note that cURL uses OpenSSL, it therefore requires their terminology when selecting cipher suites for testing. AECDH-AES128-SHA is the OpenSSL terminology for the RFC name TLS_ECDH_anon_WITH_AES_128_CBC_SHA.

A full list of the options available for cURL, including protocols, can be found in the cURL tool documentation at  http://curl.haxx.se/docs/manpage.html.

A full list of ciphers available can be found in the OpenSSL Cryptography and SSL/TLS Toolkit documentation at https://www.openssl.org/docs/manmaster/apps/ciphers.html.

Related Articles

Technical Note: How to verify if a web page is cache-able using cURL

Contributors