New features in FortiOS 5.2.8
TLS 1.2 support for SSL offloading (241817)
You can use the following command to configure SSL offloading to support TLS 1.2:
config firewall vip
edit <name>
set type server-load-balance
set server-type https
set ssl-min-version tls-1.2
set ssl-max-version tls-1.2
...
The default ssl-min-version
is still ssl-3.0
and the default ssl-max-version
is still tls-1.0
so you have to specifically set at least ssl-max-version
to tls-1.2
to enable TLS 1.2 support.
The following AES-GCM TLS 1.2-only cipher suites have also been added. These cipher suites are not supported by the CPx or NPx processors so if you select one of these, all processing is done without hardware acceleration.
TLS 1.2 support does not require setting ssl-algorithm to custom and configuring a custom cipher suite. |
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
You can use the following command to select one of these cipher suites:
config firewall vip
edit <name>
set type server-load-balance
set server-type https
set ssl-max-version tls-1.2
set ssl-algorithm custom
config ssl-cipher-suites
edit 100
set cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
...