Fortinet black logo

User Guide

Home FortiWeb Cloud User Guide

Supported cipher suites & protocol versions

Copy Link
Copy Doc ID a9687b55-f2f2-11ee-8c42-fa163e15d75b:742465
Download PDF

Supported cipher suites & protocol versions

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.

The SSL/TLS Encryption Level controls how many ciphers are supported and the settings provides the following options:

  • Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.

  • Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.

  • Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8. Mozilla-old is the recommended configuration as it is compatible with most of the clients.

  • Customized – Supports a customizable list of all ciphers.

Ciphers supported by Mozilla-Modern/Intermediate/Old levels
Cipher

Mozilla

Modern

 Mozilla Intermediate

Mozilla

Old
TLS_AES_256_GCM_SHA384 Yes Yes Yes
TLS_CHACHA20_POLY1305_SHA256 Yes Yes Yes
TLS_AES_128_GCM_SHA256 Yes Yes Yes

ECDHE-ECDSA-AES128-GCM-SHA256

 Yes Yes

ECDHE-RSA-AES128-GCM-SHA256

 Yes Yes

ECDHE-ECDSA-AES256-GCM-SHA384

 Yes Yes

ECDHE-RSA-AES256-GCM-SHA384

 Yes Yes

ECDHE-ECDSA-CHACHA20-POLY1305

 Yes Yes

ECDHE-RSA-CHACHA20-POLY1305

 Yes Yes

DHE-RSA-AES128-GCM-SHA256

 Yes Yes

DHE-RSA-AES256-GCM-SHA384

 Yes Yes
DHE-RSA-CHACHA20-POLY1305 Yes
ECDHE-ECDSA-AES128-SHA256 Yes
ECDHE-RSA-AES128-SHA256 Yes
ECDHE-ECDSA-AES128-SHA Yes
ECDHE-RSA-AES128-SHA Yes
ECDHE-ECDSA-AES256-SHA384 Yes
ECDHE-RSA-AES256-SHA384 Yes
ECDHE-ECDSA-AES256-SHA Yes
ECDHE-RSA-AES256-SHA Yes
DHE-RSA-AES128-SHA256 Yes
DHE-RSA-AES256-SHA256 Yes
AES128-GCM-SHA256 Yes
AES256-GCM-SHA384 Yes
AES128-SHA256 Yes
AES256-SHA256 Yes
AES128-SHA Yes
AES256-SHA Yes
DES-CBC3-SHA Yes
Previous
Next

Supported cipher suites & protocol versions

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.

The SSL/TLS Encryption Level controls how many ciphers are supported and the settings provides the following options:

  • Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.

  • Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.

  • Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8. Mozilla-old is the recommended configuration as it is compatible with most of the clients.

  • Customized – Supports a customizable list of all ciphers.

Ciphers supported by Mozilla-Modern/Intermediate/Old levels
Cipher

Mozilla

Modern

 Mozilla Intermediate

Mozilla

Old
TLS_AES_256_GCM_SHA384 Yes Yes Yes
TLS_CHACHA20_POLY1305_SHA256 Yes Yes Yes
TLS_AES_128_GCM_SHA256 Yes Yes Yes

ECDHE-ECDSA-AES128-GCM-SHA256

 Yes Yes

ECDHE-RSA-AES128-GCM-SHA256

 Yes Yes

ECDHE-ECDSA-AES256-GCM-SHA384

 Yes Yes

ECDHE-RSA-AES256-GCM-SHA384

 Yes Yes

ECDHE-ECDSA-CHACHA20-POLY1305

 Yes Yes

ECDHE-RSA-CHACHA20-POLY1305

 Yes Yes

DHE-RSA-AES128-GCM-SHA256

 Yes Yes

DHE-RSA-AES256-GCM-SHA384

 Yes Yes
DHE-RSA-CHACHA20-POLY1305 Yes
ECDHE-ECDSA-AES128-SHA256 Yes
ECDHE-RSA-AES128-SHA256 Yes
ECDHE-ECDSA-AES128-SHA Yes
ECDHE-RSA-AES128-SHA Yes
ECDHE-ECDSA-AES256-SHA384 Yes
ECDHE-RSA-AES256-SHA384 Yes
ECDHE-ECDSA-AES256-SHA Yes
ECDHE-RSA-AES256-SHA Yes
DHE-RSA-AES128-SHA256 Yes
DHE-RSA-AES256-SHA256 Yes
AES128-GCM-SHA256 Yes
AES256-GCM-SHA384 Yes
AES128-SHA256 Yes
AES256-SHA256 Yes
AES128-SHA Yes
AES256-SHA Yes
DES-CBC3-SHA Yes
Previous
Next