Fortinet black logo

Handbook

Setting the SSL/TLS cipher choices for server and client connections

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:687114
Download PDF

Setting the SSL/TLS cipher choices for server and client connections

The ssl-algorithm and ssl-server-algorithm configuration options allow the cipher choice for the FortiGate to server connection to be independent of the client to FortiGate connection. By default, ssl-server-algorithm is set to client and the configured ssl-algorithm setting is applied to both the client and the server connection.

You can change the ssl-server-algorithm to apply different options to the server connection. The ssl-algorithm setting is still applied to the client connection.

The following ssl-server-algorithm options are available:

  • high, offer AES or 3DES cypher suites in the ServerHello
  • medium, use AES, 3DES, or RC4 cypher suites in the ServerHello
  • low, use AES, 3DES, RC4, or DES cypher suites in the ServerHello
  • custom, specifiy custom cypher suites using the config ssl-server-cipher-suites and offer these custom cypher suites in the ServerHello.
  • client, offer the cypher suites in the ServerHello that are offered in the ClientHello.

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-algorithm {high | medium | low | custom}

set ssl-server-algorithm {high | medium | low | custom | client}

If you set ssl-server-algorithm to custom, the syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-server-algorithm custom

config ssl-server-cipher-suites

edit 10

set cipher <cipher-suite>

set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

next

edit 20

set cipher <cipher-suite>

set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

end

Setting the SSL/TLS cipher choices for server and client connections

The ssl-algorithm and ssl-server-algorithm configuration options allow the cipher choice for the FortiGate to server connection to be independent of the client to FortiGate connection. By default, ssl-server-algorithm is set to client and the configured ssl-algorithm setting is applied to both the client and the server connection.

You can change the ssl-server-algorithm to apply different options to the server connection. The ssl-algorithm setting is still applied to the client connection.

The following ssl-server-algorithm options are available:

  • high, offer AES or 3DES cypher suites in the ServerHello
  • medium, use AES, 3DES, or RC4 cypher suites in the ServerHello
  • low, use AES, 3DES, RC4, or DES cypher suites in the ServerHello
  • custom, specifiy custom cypher suites using the config ssl-server-cipher-suites and offer these custom cypher suites in the ServerHello.
  • client, offer the cypher suites in the ServerHello that are offered in the ClientHello.

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-algorithm {high | medium | low | custom}

set ssl-server-algorithm {high | medium | low | custom | client}

If you set ssl-server-algorithm to custom, the syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-server-algorithm custom

config ssl-server-cipher-suites

edit 10

set cipher <cipher-suite>

set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

next

edit 20

set cipher <cipher-suite>

set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

end