Supported cipher suites & protocol versions

How secure is an HTTPS connection?

This is partially physical considerations such as restricting access to private keys and decrypted traffic (see Offloading vs. inspection). Another part is the encryption.

A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.

The FortiWeb operation mode determines which device is the SSL terminator. It is either:

the FortiWeb (if doing SSL offloading)
the web server (if FortiWeb is doing only SSL inspection)

When FortiWeb is the SSL terminator, FortiWeb controls which ciphers are allowed (see SSL offloading cipher suites and protocols (reverse proxy and true transparent proxy)).

When the web server is the terminator, it controls which ciphers are allowed (see SSL inspection cipher suites and protocols (offline and transparent inspection)). If it selects a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task.

SSL offloading cipher suites and protocols (reverse proxy and true transparent proxy)

If you have configured SSL offloading for your FortiWeb operating in reverse proxy mode, you can specify which protocols a server policy allows and whether the set of cipher suites it supports is medium-level security, high-level security or a customized set. (See Configuring a server policy.) In addition, you can enable the ChaCha-Poly1305 cipher suite support for a server policy using a CLI command.

In true transparent proxy mode, you can specify these same advanced SSL settings to configure offloading for a server pool member. (See and Creating a server pool.)

Selecting the supported cipher suites using the advanced SSL settings

The SSL/TLS encryption level in the advanced SSL settings provides the following options:

High — Supports the ciphers listed in High/medium SSL/TLS encryption levels
Medium — Supports all ciphers supported by the high encryption level, plus the additional ciphers listed in the table Medium-only SSL/TLS encryption levels
Customized — Allows you to select the ciphers that the policy supports.

High/medium SSL/TLS encryption levels

Cipher	TLS 1.2	TLS 1.0, 1.1	SSL 3.0
ECDHE-RSA-AES256-GCM-SHA384	Yes
ECDHE-RSA-AES256-SHA384	Yes
ECDHE-RSA-AES256-SHA	Yes	Yes
DHE-RSA-AES256-GCM-SHA384	Yes
DHE-RSA-AES256-SHA256	Yes
DHE-RSA-AES256—SHA	Yes	Yes	Yes
DHE-RSA-CAMELLIA256-SHA	Yes	Yes	Yes
AES256-GCM-SHA384	Yes
AES256-SHA256	Yes
AES256-SHA	Yes	Yes	Yes
CAMELLIA256-SHA	Yes	Yes	Yes
ECDHE-RSA-AES128-GCM-SHA256	Yes
ECDHE-RSA-AES128-SHA256	Yes
ECDHE-RSA-AES128-SHA	Yes	Yes
DHE-RSA-AES128-GCM-SHA256	Yes
DHE-RSA-AES128-SHA256	Yes
DHE-RSA-AES128-SHA	Yes	Yes	Yes
DHE-RSA-CAMELLIA128-SHA	Yes	Yes	Yes
AES128-GCM-SHA256	Yes
AES128-SHA256	Yes
AES128-SHA	Yes	Yes	Yes
CAMELLIA128-SHA	Yes	Yes	Yes
ECDHE-ECDSA-AES256-GCM-SHA384	Yes
ECDHE-ECDSA-AES256-SHA384	Yes
ECDHE-ECDSA-AES256-SHA	Yes	Yes
ECDH-ECDSA-AES256-GCM-SHA384	Yes
ECDH-ECDSA-AES256-SHA384	Yes
ECDH-ECDSA-AES256-SHA	Yes	Yes
ECDHE-ECDSA-AES128-GCM-SHA256	Yes
ECDHE-ECDSA-AES128-SHA256	Yes
ECDHE-ECDSA-AES128-SHA	Yes	Yes
ECDH-ECDSA-AES128-GCM-SHA256	Yes
ECDH-ECDSA-AES128-SHA256	Yes
ECDH-ECDSA-AES128-SHA	Yes	Yes

Medium-only SSL/TLS encryption levels

Cipher	TLS 1.2	TLS 1.0, 1.1	SSL 3.0
DHE-RSA-SEED-SHA	Yes	Yes	Yes
SEED-SHA	Yes	Yes	Yes
IDEA-CBC-SHA	Yes	Yes	Yes
ECDHE-RSA-RC4-SHA	Yes	Yes
RC4-SHA	Yes	Yes	Yes
RC4-MD5	Yes	Yes	Yes
ECDHE-ECDSA-RC4-SHA	Yes	Yes
ECDH-ECDSA-RC4-SHA	Yes	Yes

Generally speaking, for security reasons, SHA-1 is preferable, although you may not be able to use it for client compatibility reasons. Avoid using:

SSL 3.0 or TLS 1.0 (both enabled by default)
Older hash algorithms, such as MD5. To disable MD5, for SSL/TLS encryption level, select High.
Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES (for example, to protect clients with incorrect CBC implementations for AES and DES, configure Prioritize RC4 Cipher Suite.)
Encryption bit strengths less than 128
Older styles of renegotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)
Client-initiated renegotiation (Configure Disable Client-Initiated SSL Renegotiation.)

Enabling ChaCha-Poly1305 cipher suite support

You can use a CLI command to enable ChaCha-Poly1305 cipher suite support for a server policy. You cannot enable this feature using the web UI.

Support for ChaCha-Poly1305 requires the following configuration:

Enable the high-compatibility-mode setting for the config system global command.

The command uses the following format:

config server-policy policy

edit <policy-name>

set https-service <service-name>

set tls-v12 enable

set ssl-chacha-cipher enable

Enable the TLS1.2 protocol in the server policy.

For more information, see the FortiWeb CLI Reference.

SSL inspection cipher suites and protocols (offline and transparent inspection)

In transparent inspection and offline protection modes, if the client and server communicate using a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task.

If you are not sure which cipher suites your web server supports, you can use a client-side tool to test. See Checking the SSL/TLS handshake & encryption.

Supported ciphers for offline and transparent inspection

Cipher suite	Cipher	TLS 1.2	TLS 1.0, 1.1	SSL 3.0
TLS_RSA_WITH_RC4_128_MD5	RC4-MD5	Yes	Yes	Yes
TLS_RSA_WITH_RC4_128_SHA	RC4-SHA	Yes	Yes	Yes
TLS_RSA_WITH_DES_CBC_SHA	DES-CBC-SHA	Yes	Yes	Yes
TLS_RSA_WITH_3DES_EDE_CBC_SHA	DES-CBC3-SHA	Yes	Yes	Yes
TLS_RSA_WITH_AES_128_CBC_SHA	AES128-SHA	Yes	Yes	Yes
TLS_RSA_WITH_AES_256_CBC_SHA	AES256-SHA	Yes	Yes	Yes
TLS_RSA_WITH_AES_128_CBC_SHA256	AES128-SHA256	Yes	No	No
TLS_RSA_WITH_AES_256_CBC_SHA256	AES256-SHA256	Yes	No	No
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA	CAMELLIA128-SHA	Yes	Yes	Yes
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA	CAMELLIA256-SHA	Yes	Yes	Yes
TLS_RSA_WITH_SEED_CBC_SHA	SEED-SHA	Yes	Yes	Yes
TLS_RSA_WITH_AES_128_GCM_SHA256	AES128-GCM-SHA256	Yes	No	No
TLS_RSA_WITH_AES_256_GCM_SHA384	AES256-GCM-SHA384	Yes	No	No

In offline and transparent inspection mode, FortiWeb does not support Ephemeral Diffie-Hellman key exchanges, which may be accepted by clients such as Google Chrome.