TLS 1.3 Support
SSL VPN
TLS 1.3 support has been added for SSL VPN. The following steps are required for a client to establish an SSL VPN connection with TLS 1.3 to the FortiGate:
- Configure TLS 1.3 support using the FortiOS CLI.
- Configure the SSL VPN and firewall policy.
- For Linux clients, ensure OpenSSL 1.1.1a is installed.
- Use OpenSSL with the TLS 1.3 option to connect to SSL VPN.
- Ensure that the SSL VPN connection has been established with TLS 1.3.
![]() |
This feature can only be used with endpoints that have FortiClient 6.2.0 or a later version installed. Earlier FortiClient versions do not support TLS 1.3. |
To configure TLS 1.3 support using the FortiOS CLI:
A new command for TLS 1.3 has been added under config vpn ssl setting
. By default, TLS 1.3 support is enabled. You can enable TLS 1.3 support using the following FortiOS CLI command:
config vpn ssl setting
set tlsv1-3 enable
end
To configure SSL VPN and the firewall policy:
Configure the SSL VPN settings and firewall policy as required.
To ensure OpenSSL 1.1.1a is installed on the Linux client:
Run the following commands in the terminal on the Linux client:
root@PC1:~/tools# openssl
OpenSSL> version
If OpenSSL 1.1.1a is installed, the system displays a response like the following:
OpenSSL 1.1.1a 20 Nov 2018
To connect to SSL VPN using OpenSSL with TLS 1.3:
On the Linux client, use OpenSSL to connect to FortiGate SSL VPN with TLS 1.3 by running the following command:
#openssl s_client -connect 10.1.100.10:10443 -tls1_3
To ensure that SSL VPN connection is established with TLS 1.3:
Run the following commands in the FortiOS CLI to ensure that the SSL VPN connection has been established with TLS 1.3:
# diagnose debug application sslvpn -1
# diagnose debug enable
The system should display a response like the following:
[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
Deep Inspection (Flow Based)
FortiOS now supports TLS 1.3 for policies that have the following security profiles applied:
- Web Filter profile with flow-based inspection mode enabled
- Deep inspection SSL/SSH Inspection profile
Consider that a policy with the above Web Filter and SSL/SSH Inspection profiles applied is enabled. A client attempts to access a website that supports TLS 1.3. FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3, and the client is able to access the website.
![]() |
TLS 1.3 support is only available for IPS engine 4.205 and later versions. |