Supported cipher suites & protocol versions
How secure is an HTTPS connection?
A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL terminator during the handshake. (When you connect to the web UI via HTTPS, your FortiRecorder appliance is the SSL terminator.) Because security settings must agree, the result depends both on the appliance and your web browser.
FortiRecorder supports:
• SSL 2.0
• RC4-MD5 — 40-bit & 128-bit
• SSL 3.0
• AES-SHA — 256-bit & 128-bit
• CAMELLIA-SHA — 128-bit & 256-bit
• DES-CBC3-SHA — 168-bit
• DES-CBC-SHA — 40-bit & 56-bit
• DHE-RSA-AES-SHA — 256-bit & 128-bit
• DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
• DHE-RSA-SEED-SHA — 128-bit
• EDH-RSA-DES-CBC3-SHA — 168-bit
• EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
• RC4-SHA — 128-bit
• RC4-MD5 — 40-bit & 128-bit
• SEED-SHA — 128-bit
• TLS 1.0
• AES-SHA — 256-bit & 128-bit
• CAMELLIA-SHA — 128-bit & 256-bit
• DES-CBC3-SHA — 168-bit
• DES-CBC-SHA — 40-bit & 56-bit
• DHE-RSA-AES-SHA — 256-bit & 128-bit
• DHE-RSA-CAMELLIA-SHA — 256-bit & 128-bit
• DHE-RSA-SEED-SHA — 128-bit
• EDH-RSA-DES-CBC3-SHA — 168-bit
• EDH-RSA-DES-CBC-SHA — 40-bit & 56-bit
• RC4-SHA — 128-bit
• RC4-MD5 — 40-bit & 128-bit
• SEED-SHA — 128-bit
AES-256 and SHA-1 are preferable. Generally speaking, for security reasons, avoid using:
• SSL 2.0
• TLS 1.0
• Older hash algorithms, such as MD5. (On modern computers, these can be cracked quickly.)
• Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES (e.g. To protect clients with incorrect CBC implementations for AES and DES, prioritize RC4.)
• Encryption bit strengths less than 128
• Older styles of re-negotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)