TLS 1.3 Support
TLS 1.3 support has been added for SSL VPN. The following steps are required for a client to establish an SSL VPN connection with TLS 1.3 to the FortiGate:
- Configure TLS 1.3 support using the FortiOS CLI.
- Configure the SSL VPN and firewall policy.
- For Linux clients, ensure OpenSSL 1.1.1a is installed.
- Use OpenSSL with the TLS 1.3 option to connect to SSL VPN.
- Ensure that the SSL VPN connection has been established with TLS 1.3.
This feature can only be used with endpoints that have FortiClient 6.2.0 or a later version installed. Earlier FortiClient versions do not support TLS 1.3.
A new command for TLS 1.3 has been added under
config vpn ssl setting. By default, TLS 1.3 support is enabled. You can enable TLS 1.3 support using the following FortiOS CLI command:
config vpn ssl setting
set tlsv1-3 enable
Configure the SSL VPN settings and firewall policy as required.
Run the following commands in the terminal on the Linux client:
If OpenSSL 1.1.1a is installed, the system displays a response like the following:
OpenSSL 1.1.1a 20 Nov 2018
On the Linux client, use OpenSSL to connect to FortiGate SSL VPN with TLS 1.3 by running the following command:
#openssl s_client -connect 10.1.100.10:10443 -tls1_3
Run the following commands in the FortiOS CLI to ensure that the SSL VPN connection has been established with TLS 1.3:
# diagnose debug application sslvpn -1
# diagnose debug enable
The system should display a response like the following:
[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
FortiOS now supports TLS 1.3 for policies that have the following security profiles applied:
- Web Filter profile with flow-based inspection mode enabled
- Deep inspection SSL/SSH Inspection profile
Consider that a policy with the above Web Filter and SSL/SSH Inspection profiles applied is enabled. A client attempts to access a website that supports TLS 1.3. FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3, and the client is able to access the website.
TLS 1.3 support is only available for IPS engine 4.205 and later versions.