Setting the SSL/TLS cipher choices for server and client connections
The ssl-algorithm
and ssl-server-algorithm
configuration options allow the cipher choice for the FortiGate to server connection to be independent of the client to FortiGate connection. By default, ssl-server-algorithm
is set to client
and the configured ssl-algorithm
setting is applied to both the client and the server connection.
You can change the ssl-server-algorithm
to apply different options to the server connection. The ssl-algorithm
setting is still applied to the client connection.
The following ssl-server-algorithm
options are available:
high
, offer AES or 3DES cypher suites in the ServerHellomedium
, use AES, 3DES, or RC4 cypher suites in the ServerHellolow
, use AES, 3DES, RC4, or DES cypher suites in the ServerHellocustom
, specifiy custom cypher suites using theconfig ssl-server-cipher-suites
and offer these custom cypher suites in the ServerHello.client
, offer the cypher suites in the ServerHello that are offered in the ClientHello.
Command syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-mode full
set ssl-algorithm {high | medium | low | custom}
set ssl-server-algorithm {high | medium | low | custom | client}
If you set ssl-server-algorithm to custom, the syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-mode full
set ssl-server-algorithm custom
config ssl-server-cipher-suites
edit 10
set cipher <cipher-suite>
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
next
edit 20
set cipher <cipher-suite>
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end