Setting the SSL/TLS versions to use for server and client connections

The ssl-server-min-version, ssl-server-max-version, ssl-min-version and ssl-max-version configuration options allow the minimum and maximum SSL/TLS versions for the client to FortiGate connection to be independent of the FortiGate to server configuration. By default these options are both set to client and the configured ssl-min-version and ssl-max-version settings are applied to both the client and the server connection.

You can change the ssl-server-min-version and ssl-server-max-version to apply different options to the server connection. The ssl-min-version and ssl-max-version settings are still applied to the client connection. If you set the ssl-server-min-version and ssl-server-max-version to an explicit version then both must be set to an explicit version.

The ssl-server-min-version and ssl-server-max-version options allow you to specify the minimum and maximum SSL/TLS versions the FortiGate will offer to the server (in the record header of the ClientHello) when performing full mode SSL offloading and thus the minimum and maximum SSL/TLS versions the FortiGate accepts from the server (in a ServerHello). If the server responds with a version in its ServerHello that is lower than ssl-server-min-version or higher than the ssl-server-max-version then the FortiGate terminates the connection.

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

set ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

set ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}