Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Supported cipher suites & protocol versions

How secure is an HTTPS connection?

There are physical considerations, such as restricting access to private keys and decrypted traffic. Another part is the encryption. For details, see Offloading vs. inspection.

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.

The FortiWeb operation mode determines which device is the SSL terminator. It is either:

  • The FortiWeb (if doing SSL offloading)
  • The web server (if FortiWeb is doing only SSL inspection)

When FortiWeb is the SSL terminator, FortiWeb controls which ciphers are allowed. For details, see SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent Proxy).

When the web server is the terminator, it controls which ciphers are allowed. If it selects a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task. For details, see SSL inspection cipher suites and protocols (offline and Transparent Inspection).

SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent Proxy)

If you have configured SSL offloading for your FortiWeb operating in Reverse Proxy mode, you can specify which protocols a server policy allows and whether the set of cipher suites it supports is medium-level security, high-level security or a customized set. For details, see Configuring an HTTP server policy.

In True Transparent Proxy mode, you can specify these same advanced SSL settings to configure offloading for a server pool member. For details, see Creating an HTTP server pool.

Selecting the supported cipher suites using the advanced SSL settings

The SSL/TLS encryption level in the advanced SSL settings provides the following options:

High/medium SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1
AES_256_GCM_SHA384 Yes    
CHACHA20_POLY1305_SHA256 Yes    
AES_128_GCM_SHA256 Yes    
ECDHE-RSA-AES256-GCM-SHA384   Yes  
DHE-RSA-AES256-GCM-SHA384   Yes  
ECDHE-RSA-CHACHA20-POLY1305   Yes  
DHE-RSA-CHACHA20-POLY1305   Yes  
DHE-RSA-AES256-CCM8   Yes  
DHE-RSA-AES256-CCM   Yes  
ECDHE-RSA-AES128-GCM-SHA256   Yes  
DHE-RSA-AES128-GCM-SHA256   Yes  
DHE-RSA-AES128-CCM8   Yes  
DHE-RSA-AES128-CCM   Yes  
ECDHE-RSA-AES256-SHA384   Yes  
DHE-RSA-AES256-SHA256   Yes  
ECDHE-RSA-CAMELLIA256-SHA384   Yes  
DHE-RSA-CAMELLIA256-SHA256   Yes  
ECDHE-RSA-AES128-SHA256   Yes  
DHE-RSA-AES128-SHA256   Yes  
ECDHE-RSA-CAMELLIA128-SHA256   Yes  
DHE-RSA-CAMELLIA128-SHA256   Yes  

DHE-RSA-CAMELLIA128-SHA

 

Yes

Yes

ECDHE-RSA-AES256-SHA   Yes Yes
DHE-RSA-AES256-SHA   Yes Yes
DHE-RSA-CAMELLIA256-SHA   Yes Yes
ECDHE-RSA-AES128-SHA   Yes Yes
DHE-RSA-AES128-SHA   Yes Yes
AES256-GCM-SHA384   Yes  
AES256-CCM8   Yes  
AES256-CCM   Yes  
AES128-GCM-SHA256   Yes  
AES128-CCM8   Yes  
AES128-CCM   Yes  
AES256-SHA256   Yes  
CAMELLIA256-SHA256   Yes  

CAMELLIA256-SHA

 

Yes

Yes

CAMELLIA128-SHA

 

Yes

Yes

AES128-SHA256   Yes  
CAMELLIA128-SHA256   Yes  
AES256-SHA   Yes Yes
AES128-SHA   Yes Yes
ECDHE-ECDSA-AES256-GCM-SHA384   Yes  
ECDHE-ECDSA-CHACHA20-POLY1305   Yes  
ECDHE-ECDSA-AES256-CCM8   Yes  
ECDHE-ECDSA-AES256-CCM   Yes  
ECDHE-ECDSA-AES128-GCM-SHA256   Yes  
ECDHE-ECDSA-AES128-CCM8   Yes  
ECDHE-ECDSA-AES128-CCM   Yes  
ECDHE-ECDSA-AES256-SHA384   Yes  
ECDHE-ECDSA-CAMELLIA256-SHA384   Yes  
ECDHE-ECDSA-AES128-SHA256   Yes  
ECDHE-ECDSA-CAMELLIA128-SHA256   Yes  
ECDHE-ECDSA-AES256-SHA   Yes Yes
ECDHE-ECDSA-AES128-SHA   Yes Yes
DHE-DSS-AES256-GCM-SHA384   Yes  
DHE-DSS-AES128-GCM-SHA256   Yes  
DHE-DSS-AES256-SHA256   Yes  
DHE-DSS-CAMELLIA256-SHA256   Yes  
DHE-DSS-AES128-SHA256   Yes  
DHE-DSS-CAMELLIA128-SHA256   Yes  

DHE-DSS-CAMELLIA128-SHA

 

Yes

 

DHE-DSS-AES256-SHA   Yes Yes
DHE-DSS-CAMELLIA256-SHA   Yes Yes
DHE-DSS-AES128-SHA   Yes Yes

ECDHE-ARIA128-GCM-SHA256

 

Yes

 

DHE-RSA-ARIA128-GCM-SHA256

 

Yes

 

DHE-RSA-ARIA256-GCM-SHA384

 

Yes

 

ECDHE-ARIA256-GCM-SHA384

 

Yes

 

ARIA256-GCM-SHA384

 

Yes

 

ARIA128-GCM-SHA256

 

Yes

 

ECDHE-ECDSA-ARIA256-GCM-SHA384

 

Yes

 

ECDHE-ECDSA-ARIA128-GCM-SHA256

 

Yes

 

DHE-DSS-ARIA256-GCM-SHA384

 

Yes

 

DHE-DSS-ARIA128-GCM-SHA256

 

Yes

 

Medium-only SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1
DHE-RSA-SEED-SHA   Yes Yes
DHE-DSS-SEED-SHA   Yes Yes
IDEA-CBC-SHA     Yes
SEED-SHA   Yes Yes
DHE-DSS-SEED-SHA   Yes Yes
IDEA-CBC-SHA   Yes Yes
SEED-SHA   Yes Yes

Generally speaking, for security reasons, SHA-1 is preferable, although you may not be able to use it for client compatibility reasons. Avoid using:

  • Older hash algorithms, such as MD5. To disable MD5, for SSL/TLS encryption level, select High.
  • Encryption bit strengths less than 128
  • Older styles of renegotiation (These are vulnerable to Man-in-the-Middle (MITM) attacks.)
  • Client-initiated renegotiation. Configure Configuring an HTTP server policy.
Customized-only SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1
AES_128_CCM_SHA256 Yes    
AES_128_CCM_8_SHA256 Yes    

ECDHE_RSA_DES_CBC3_SHA

 

Yes

Yes

DES_CBC3_SHA

 

Yes

Yes

SSL inspection cipher suites and protocols (offline and Transparent Inspection)

In Transparent Inspection and Offline Protection modes, if the client and server communicate using a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task.

If you are not sure which cipher suites your web server supports, you can use a client-side tool to test. For details, see Checking the SSL/TLS handshake & encryption.

Supported ciphers for offline and Transparent Inspection
Cipher TLS 1.2 TLS 1.0, 1.1
AES128-SHA Yes Yes
AES256-SHA Yes Yes
AES128-SHA256 Yes  
AES256-SHA256 Yes  
AES256-GCM-SHA384 Yes  
AES128-GCM-SHA256 Yes  
CAMELLIA256-SHA Yes Yes
SEED-SHA Yes Yes
In offline and Transparent Inspection mode, FortiWeb does not support Ephemeral Diffie-Hellman key exchanges, which may be accepted by clients such as Google Chrome.
See also

Supported cipher suites & protocol versions

How secure is an HTTPS connection?

There are physical considerations, such as restricting access to private keys and decrypted traffic. Another part is the encryption. For details, see Offloading vs. inspection.

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.

The FortiWeb operation mode determines which device is the SSL terminator. It is either:

  • The FortiWeb (if doing SSL offloading)
  • The web server (if FortiWeb is doing only SSL inspection)

When FortiWeb is the SSL terminator, FortiWeb controls which ciphers are allowed. For details, see SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent Proxy).

When the web server is the terminator, it controls which ciphers are allowed. If it selects a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task. For details, see SSL inspection cipher suites and protocols (offline and Transparent Inspection).

SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent Proxy)

If you have configured SSL offloading for your FortiWeb operating in Reverse Proxy mode, you can specify which protocols a server policy allows and whether the set of cipher suites it supports is medium-level security, high-level security or a customized set. For details, see Configuring an HTTP server policy.

In True Transparent Proxy mode, you can specify these same advanced SSL settings to configure offloading for a server pool member. For details, see Creating an HTTP server pool.

Selecting the supported cipher suites using the advanced SSL settings

The SSL/TLS encryption level in the advanced SSL settings provides the following options:

High/medium SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1
AES_256_GCM_SHA384 Yes    
CHACHA20_POLY1305_SHA256 Yes    
AES_128_GCM_SHA256 Yes    
ECDHE-RSA-AES256-GCM-SHA384   Yes  
DHE-RSA-AES256-GCM-SHA384   Yes  
ECDHE-RSA-CHACHA20-POLY1305   Yes  
DHE-RSA-CHACHA20-POLY1305   Yes  
DHE-RSA-AES256-CCM8   Yes  
DHE-RSA-AES256-CCM   Yes  
ECDHE-RSA-AES128-GCM-SHA256   Yes  
DHE-RSA-AES128-GCM-SHA256   Yes  
DHE-RSA-AES128-CCM8   Yes  
DHE-RSA-AES128-CCM   Yes  
ECDHE-RSA-AES256-SHA384   Yes  
DHE-RSA-AES256-SHA256   Yes  
ECDHE-RSA-CAMELLIA256-SHA384   Yes  
DHE-RSA-CAMELLIA256-SHA256   Yes  
ECDHE-RSA-AES128-SHA256   Yes  
DHE-RSA-AES128-SHA256   Yes  
ECDHE-RSA-CAMELLIA128-SHA256   Yes  
DHE-RSA-CAMELLIA128-SHA256   Yes  

DHE-RSA-CAMELLIA128-SHA

 

Yes

Yes

ECDHE-RSA-AES256-SHA   Yes Yes
DHE-RSA-AES256-SHA   Yes Yes
DHE-RSA-CAMELLIA256-SHA   Yes Yes
ECDHE-RSA-AES128-SHA   Yes Yes
DHE-RSA-AES128-SHA   Yes Yes
AES256-GCM-SHA384   Yes  
AES256-CCM8   Yes  
AES256-CCM   Yes  
AES128-GCM-SHA256   Yes  
AES128-CCM8   Yes  
AES128-CCM   Yes  
AES256-SHA256   Yes  
CAMELLIA256-SHA256   Yes  

CAMELLIA256-SHA

 

Yes

Yes

CAMELLIA128-SHA

 

Yes

Yes

AES128-SHA256   Yes  
CAMELLIA128-SHA256   Yes  
AES256-SHA   Yes Yes
AES128-SHA   Yes Yes
ECDHE-ECDSA-AES256-GCM-SHA384   Yes  
ECDHE-ECDSA-CHACHA20-POLY1305   Yes  
ECDHE-ECDSA-AES256-CCM8   Yes  
ECDHE-ECDSA-AES256-CCM   Yes  
ECDHE-ECDSA-AES128-GCM-SHA256   Yes  
ECDHE-ECDSA-AES128-CCM8   Yes  
ECDHE-ECDSA-AES128-CCM   Yes  
ECDHE-ECDSA-AES256-SHA384   Yes  
ECDHE-ECDSA-CAMELLIA256-SHA384   Yes  
ECDHE-ECDSA-AES128-SHA256   Yes  
ECDHE-ECDSA-CAMELLIA128-SHA256   Yes  
ECDHE-ECDSA-AES256-SHA   Yes Yes
ECDHE-ECDSA-AES128-SHA   Yes Yes
DHE-DSS-AES256-GCM-SHA384   Yes  
DHE-DSS-AES128-GCM-SHA256   Yes  
DHE-DSS-AES256-SHA256   Yes  
DHE-DSS-CAMELLIA256-SHA256   Yes  
DHE-DSS-AES128-SHA256   Yes  
DHE-DSS-CAMELLIA128-SHA256   Yes  

DHE-DSS-CAMELLIA128-SHA

 

Yes

 

DHE-DSS-AES256-SHA   Yes Yes
DHE-DSS-CAMELLIA256-SHA   Yes Yes
DHE-DSS-AES128-SHA   Yes Yes

ECDHE-ARIA128-GCM-SHA256

 

Yes

 

DHE-RSA-ARIA128-GCM-SHA256

 

Yes

 

DHE-RSA-ARIA256-GCM-SHA384

 

Yes

 

ECDHE-ARIA256-GCM-SHA384

 

Yes

 

ARIA256-GCM-SHA384

 

Yes

 

ARIA128-GCM-SHA256

 

Yes

 

ECDHE-ECDSA-ARIA256-GCM-SHA384

 

Yes

 

ECDHE-ECDSA-ARIA128-GCM-SHA256

 

Yes

 

DHE-DSS-ARIA256-GCM-SHA384

 

Yes

 

DHE-DSS-ARIA128-GCM-SHA256

 

Yes

 

Medium-only SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1
DHE-RSA-SEED-SHA   Yes Yes
DHE-DSS-SEED-SHA   Yes Yes
IDEA-CBC-SHA     Yes
SEED-SHA   Yes Yes
DHE-DSS-SEED-SHA   Yes Yes
IDEA-CBC-SHA   Yes Yes
SEED-SHA   Yes Yes

Generally speaking, for security reasons, SHA-1 is preferable, although you may not be able to use it for client compatibility reasons. Avoid using:

  • Older hash algorithms, such as MD5. To disable MD5, for SSL/TLS encryption level, select High.
  • Encryption bit strengths less than 128
  • Older styles of renegotiation (These are vulnerable to Man-in-the-Middle (MITM) attacks.)
  • Client-initiated renegotiation. Configure Configuring an HTTP server policy.
Customized-only SSL/TLS encryption levels
Cipher TLS 1.3 TLS 1.2 TLS 1.0, 1.1
AES_128_CCM_SHA256 Yes    
AES_128_CCM_8_SHA256 Yes    

ECDHE_RSA_DES_CBC3_SHA

 

Yes

Yes

DES_CBC3_SHA

 

Yes

Yes

SSL inspection cipher suites and protocols (offline and Transparent Inspection)

In Transparent Inspection and Offline Protection modes, if the client and server communicate using a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task.

If you are not sure which cipher suites your web server supports, you can use a client-side tool to test. For details, see Checking the SSL/TLS handshake & encryption.

Supported ciphers for offline and Transparent Inspection
Cipher TLS 1.2 TLS 1.0, 1.1
AES128-SHA Yes Yes
AES256-SHA Yes Yes
AES128-SHA256 Yes  
AES256-SHA256 Yes  
AES256-GCM-SHA384 Yes  
AES128-GCM-SHA256 Yes  
CAMELLIA256-SHA Yes Yes
SEED-SHA Yes Yes
In offline and Transparent Inspection mode, FortiWeb does not support Ephemeral Diffie-Hellman key exchanges, which may be accepted by clients such as Google Chrome.
See also