Fortinet white logo
Fortinet white logo

FortiOS Release Notes

SSL traffic over TLS 1.0 will not be checked and will be bypassed by default

SSL traffic over TLS 1.0 will not be checked and will be bypassed by default

FortiOS 6.2.6 and 6.4.3 ended support for TLS 1.0 when strong-crypto is enabled under system global. With this change, SSL traffic over TLS 1.0 will not be checked so it will be bypassed by default.

To examine and/or block TLS 1.0 traffic, an administrator can either:

  • Disable strong-crypto under config system global. This applies to FortiOS 6.2.6 and 6.4.3, or later versions.

  • Under config firewall ssl-ssh-profile, set the following to block in the SSL protocol settings:

    • in FortiOS 6.2.6 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl block
              end
          next
      end
    • in FortiOS 6.4.3 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl-negotiation block
              end
          next
      end

SSL traffic over TLS 1.0 will not be checked and will be bypassed by default

SSL traffic over TLS 1.0 will not be checked and will be bypassed by default

FortiOS 6.2.6 and 6.4.3 ended support for TLS 1.0 when strong-crypto is enabled under system global. With this change, SSL traffic over TLS 1.0 will not be checked so it will be bypassed by default.

To examine and/or block TLS 1.0 traffic, an administrator can either:

  • Disable strong-crypto under config system global. This applies to FortiOS 6.2.6 and 6.4.3, or later versions.

  • Under config firewall ssl-ssh-profile, set the following to block in the SSL protocol settings:

    • in FortiOS 6.2.6 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl block
              end
          next
      end
    • in FortiOS 6.4.3 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl-negotiation block
              end
          next
      end