Fortinet black logo

New Features

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Disable weak ciphers in the HTTPS protocol 7.0.2

Disable weak ciphers in the HTTPS protocol 7.0.2

Administrators can select what ciphers to use for TLS 1.3 in administrative HTTPS connections, and what ciphers to ban for TLS 1.2 and below.

To select the ciphers to use for TLS 1.3 and ban for TLS 1.2 and lower:
config system global
    set admin-https-ssl-ciphersuites {TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256}
    set admin-https-ssl-banned-ciphers {RSA DHE ECDHE DSS ECDSA AES AESGCM CAMELLIA 3DES SHA1 SHA256 SHA384 STATIC CHACHA20 ARIA AESCCM}
end

admin-https-ssl-ciphersuites {TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256}

Select one or more TLS 1.3 cipher suites to enable. Ciphers in TLS 1.2 and below are not affected. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

TLS-AES-128-CCM-SHA256 and TLS-AES-128-CCM-8-SHA256 are only available when strong-crypto is disabled.

admin-https-ssl-banned-ciphers {RSA DHE ECDHE DSS ECDSA AES AESGCM CAMELLIA 3DES SHA1 SHA256 SHA384 STATIC CHACHA20 ARIA AESCCM}

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
To test connecting from a PC using one of the cipher suites:

  1. Disable strong-crypto and select all five cipher suites:

    config system global
    set admin-https-redirect disable
    set admin-https-ssl-ciphersuites TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256
    set strong-crypto disable
end

  2. Connect from a PC using TLS_AES_128_CCM_SHA256:

    ~$ openssl s_client -connect 172.16.200.101:443 -tls1_3 -ciphersuites TLS_AES_128_CCM_SHA256
CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 O = Fortinet Ltd., CN = FortiGate
...
---
New, TLSv1.3, Cipher is TLS_AES_128_CCM_SHA256
Server public key is 2048 bit
....

  3. Enable strong-crypto:

    config system global
    set strong-crypto enable
end
TLS cipher suite 'TLS-AES-128-CCM-SHA256' can not be supported so removed.
TLS cipher suite 'TLS-AES-128-CCM-8-SHA256' can not be supported so removed.

  4. Try to connect from the PC again using TLS_AES_128_CCM_SHA256:

    ~$ openssl s_client -connect 172.16.200.101:443 -tls1_3 -ciphersuites TLS_AES_128_CCM_SHA256
CONNECTED(00000005)
139694547268800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
 ---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 211 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
....

    The connection fails because TLS_AES_128_CCM_SHA256 is not supported when strong-ctrypo is enabled.

Previous
Next

Disable weak ciphers in the HTTPS protocol 7.0.2

Administrators can select what ciphers to use for TLS 1.3 in administrative HTTPS connections, and what ciphers to ban for TLS 1.2 and below.

To select the ciphers to use for TLS 1.3 and ban for TLS 1.2 and lower:
config system global
    set admin-https-ssl-ciphersuites {TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256}
    set admin-https-ssl-banned-ciphers {RSA DHE ECDHE DSS ECDSA AES AESGCM CAMELLIA 3DES SHA1 SHA256 SHA384 STATIC CHACHA20 ARIA AESCCM}
end

admin-https-ssl-ciphersuites {TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256}

Select one or more TLS 1.3 cipher suites to enable. Ciphers in TLS 1.2 and below are not affected. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions.

TLS-AES-128-CCM-SHA256 and TLS-AES-128-CCM-8-SHA256 are only available when strong-crypto is disabled.

admin-https-ssl-banned-ciphers {RSA DHE ECDHE DSS ECDSA AES AESGCM CAMELLIA 3DES SHA1 SHA256 SHA384 STATIC CHACHA20 ARIA AESCCM}

Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.
To test connecting from a PC using one of the cipher suites:

  1. Disable strong-crypto and select all five cipher suites:

    config system global
    set admin-https-redirect disable
    set admin-https-ssl-ciphersuites TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256
    set strong-crypto disable
end

  2. Connect from a PC using TLS_AES_128_CCM_SHA256:

    ~$ openssl s_client -connect 172.16.200.101:443 -tls1_3 -ciphersuites TLS_AES_128_CCM_SHA256
CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 O = Fortinet Ltd., CN = FortiGate
...
---
New, TLSv1.3, Cipher is TLS_AES_128_CCM_SHA256
Server public key is 2048 bit
....

  3. Enable strong-crypto:

    config system global
    set strong-crypto enable
end
TLS cipher suite 'TLS-AES-128-CCM-SHA256' can not be supported so removed.
TLS cipher suite 'TLS-AES-128-CCM-8-SHA256' can not be supported so removed.

  4. Try to connect from the PC again using TLS_AES_128_CCM_SHA256:

    ~$ openssl s_client -connect 172.16.200.101:443 -tls1_3 -ciphersuites TLS_AES_128_CCM_SHA256
CONNECTED(00000005)
139694547268800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
---
no peer certificate available
 ---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 211 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
....

    The connection fails because TLS_AES_128_CCM_SHA256 is not supported when strong-ctrypo is enabled.

Previous
Next