Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

FAQ

How do I detect which cipher suite is used for HTTPS connections?

Use sniffing (packet capture) to capture SSL/ TLS traffic and view the “Server hello” message, which includes cipher suite information.

For more HTTPS troubleshooting information, see "Supported cipher suites & protocol versions" and "Checking the SSL/TLS handshake & encryption" in FortiWeb Administration Guide

How can I strengthen my SSL configuration?

The following configuration changes can make SSL more effective in preventing attacks and can improve your website's score for third-party testing tools (for example, the SSL server test provided by Qualys SSL Labs).

Which configuration changes you make depends on your environment. For example, some older clients do not support SHA256.

  • For your website certificate, do the following:

    • If it uses the SHA1 hashtag function, replace it with one that uses SHA256.

    • Ensure that its key size is 2048-bit.

  • For the server policy (Reverse Proxy mode) or server pool member configuration (True Transparent Proxy mode), specify the following values in the advanced SSL settings:

    • Select Add HSTS Header, and then for Max. Age, enter 15552000.

    • For Supported SSL Protocols, disable SSL 3.0.

    • For SSL/TLS Encryption Level, select High.

    • For Enable Perfect Forward Secrecy, select Yes.

    • Select Disable Client-Initiated SSL Renegotiation.

For details, see Configuring a server policy on in FortiWeb Administration Guide.

Use the following CLI command to set the Diffie-Hellman key exchange parameters to 2048 or greater:

config system global

set dh-params 2048

The command is available in FortiWeb 5.3.6 and higher releases. For additional information on using CLI commands, see the FortiWeb CLI Reference:

https://docs.fortinet.com/product/fortiweb/

Why can’t a browser connect securely to my back-end server?

If a browser cannot communicate with a back-end server using SSL or TLS, use the following troubleshooting steps to resolve the problem:

1. Without connecting via FortiWeb, ensure that you can access the server using HTTPS.

2. Ensure that your browser supports HTTP Strict Transport Security (HSTS). For example, following web page provides compatibility tables for various web browser versions:

http://caniuse.com/stricttransportsecurity

3. Ensure that the FortiWeb response includes the strict transport security header.

To add this header, select Add HSTS Header in the server policy or server pool configuration. For details, see "Configuring a server policy" or "Creating a server pool" in FortiWeb Administration Guide.

4. Use the following to ensure that the server certificate is trusted:

  • If the certificate is signed by intermediate certificate authority (CA), the intermediate CA is signed by a root CA.

  • The root CA is listed in your browser’s store of trusted certificates.

  • The domain name or IP address is consistent with the certificate subject.

For details, see "Uploading a server certificate" in FortiWeb Administration Guide.

How to backup & restore private keys

  • Refer to Admin Guide > How to set up your FortiWeb > Secure connections > How to export/backup certificates & private keys.

  • Local certificates are stored at: /data/etc/cert/local/root

    /data/etc/cert/local/root# ls

    FortiWeb_CA.cer  server_2048.cer  server_4096.cer

    FortiWeb_CA.key  server_2048.key  server_4096.key

Keys are encrypted. During the encryption process, we will convert the key file into a matrix system and perform matrix conversion and hashing algorithms to protect each key file.

FAQ

How do I detect which cipher suite is used for HTTPS connections?

Use sniffing (packet capture) to capture SSL/ TLS traffic and view the “Server hello” message, which includes cipher suite information.

For more HTTPS troubleshooting information, see "Supported cipher suites & protocol versions" and "Checking the SSL/TLS handshake & encryption" in FortiWeb Administration Guide

How can I strengthen my SSL configuration?

The following configuration changes can make SSL more effective in preventing attacks and can improve your website's score for third-party testing tools (for example, the SSL server test provided by Qualys SSL Labs).

Which configuration changes you make depends on your environment. For example, some older clients do not support SHA256.

  • For your website certificate, do the following:

    • If it uses the SHA1 hashtag function, replace it with one that uses SHA256.

    • Ensure that its key size is 2048-bit.

  • For the server policy (Reverse Proxy mode) or server pool member configuration (True Transparent Proxy mode), specify the following values in the advanced SSL settings:

    • Select Add HSTS Header, and then for Max. Age, enter 15552000.

    • For Supported SSL Protocols, disable SSL 3.0.

    • For SSL/TLS Encryption Level, select High.

    • For Enable Perfect Forward Secrecy, select Yes.

    • Select Disable Client-Initiated SSL Renegotiation.

For details, see Configuring a server policy on in FortiWeb Administration Guide.

Use the following CLI command to set the Diffie-Hellman key exchange parameters to 2048 or greater:

config system global

set dh-params 2048

The command is available in FortiWeb 5.3.6 and higher releases. For additional information on using CLI commands, see the FortiWeb CLI Reference:

https://docs.fortinet.com/product/fortiweb/

Why can’t a browser connect securely to my back-end server?

If a browser cannot communicate with a back-end server using SSL or TLS, use the following troubleshooting steps to resolve the problem:

1. Without connecting via FortiWeb, ensure that you can access the server using HTTPS.

2. Ensure that your browser supports HTTP Strict Transport Security (HSTS). For example, following web page provides compatibility tables for various web browser versions:

http://caniuse.com/stricttransportsecurity

3. Ensure that the FortiWeb response includes the strict transport security header.

To add this header, select Add HSTS Header in the server policy or server pool configuration. For details, see "Configuring a server policy" or "Creating a server pool" in FortiWeb Administration Guide.

4. Use the following to ensure that the server certificate is trusted:

  • If the certificate is signed by intermediate certificate authority (CA), the intermediate CA is signed by a root CA.

  • The root CA is listed in your browser’s store of trusted certificates.

  • The domain name or IP address is consistent with the certificate subject.

For details, see "Uploading a server certificate" in FortiWeb Administration Guide.

How to backup & restore private keys

  • Refer to Admin Guide > How to set up your FortiWeb > Secure connections > How to export/backup certificates & private keys.

  • Local certificates are stored at: /data/etc/cert/local/root

    /data/etc/cert/local/root# ls

    FortiWeb_CA.cer  server_2048.cer  server_4096.cer

    FortiWeb_CA.key  server_2048.key  server_4096.key

Keys are encrypted. During the encryption process, we will convert the key file into a matrix system and perform matrix conversion and hashing algorithms to protect each key file.