Supported cipher suites & protocol versions
How secure is an HTTPS connection?
This is partially physical considerations such as restricting access to private keys and decrypted traffic (see
“Offloading vs. inspection”). Another part is the encryption.
A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.
The FortiWeb operation mode determines which device is the SSL terminator. It is either:
• the FortiWeb (if doing SSL offloading)
• the web server (if FortiWeb is doing only SSL inspection)
When FortiWeb is the SSL terminator, FortiWeb controls which ciphers are allowed (see
“SSL offloading cipher suites and protocols (reverse proxy and true transparent proxy)”).
When the web server is the terminator, it controls which ciphers are allowed (see
“SSL inspection cipher suites and protocols (offline and transparent inspection)”). If it selects a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task.
SSL offloading cipher suites and protocols (reverse proxy and true transparent proxy)
If you have configured SSL offloading for your FortiWeb operating in reverse proxy mode, you can specify both which protocols it allows and whether the supported set of cipher suites create a medium-level or high-level security environment. In true transparent proxy mode, you can specify these same advanced SSL settings to configure offloading for a server pool member. For information on accessing these settings, see
“Configuring a server policy” and
“Creating a server pool”.
The SSL/TLS encryption level in the advanced SLL settings provides the following two options:
• High — Supports the ciphers listed in
Table 35 • Medium — Supports all ciphers supported by the high encryption level, plus the additional ciphers listed
in
see
Table 36 Table 35: High/medium SSL/TLS encryption levels
Cipher | TLS 1.2 | TLS 1.0, 1.1 | SSL 3.0 |
ECDHE-RSA-AES256-GCM-SHA384 | Yes | | |
ECDHE-RSA-AES256-SHA384 | Yes | | |
ECDHE-RSA-AES256-SHA | Yes | Yes | |
DHE-RSA-AES256-GCM-SHA384 | Yes | | |
DHE-RSA-AES256-SHA256 | Yes | | |
DHE-RSA-AES256—SHA | Yes | Yes | Yes |
DHE-RSA-CAMELLIA256-SHA | Yes | Yes | Yes |
AES256-GCM-SHA384 | Yes | | |
AES256-SHA256 | Yes | | |
AES256-SHA | Yes | Yes | Yes |
CAMELLIA256-SHA | Yes | Yes | Yes |
ECDHE-RSA-AES128-GCM-SHA256 | Yes | | |
ECDHE-RSA-AES128-SHA256 | Yes | | |
ECDHE-RSA-AES128-SHA | Yes | Yes | |
DHE-RSA-AES128-GCM-SHA256 | Yes | | |
DHE-RSA-AES128-SHA256 | Yes | | |
DHE-RSA-AES128-SHA | Yes | Yes | Yes |
DHE-RSA-CAMELLIA128-SHA | Yes | Yes | Yes |
AES128-GCM-SHA256 | Yes | | |
AES128-SHA256 | Yes | | |
AES128-SHA | Yes | Yes | Yes |
CAMELLIA128-SHA | Yes | Yes | Yes |
ECDHE-RSA-DES-CBC3-SHA | Yes | Yes | |
EDH-RSA-DES-CBC3-SHA | Yes | Yes | Yes |
DES-CBC3-SHA | Yes | Yes | Yes |
Table 36: Medium-only SSL/TLS encryption levels
Cipher | TLS 1.2 | TLS 1.0, 1.1 | SSL 3.0 |
DHE-RSA-SEED-SHA | Yes | Yes | Yes |
SEED-SHA | Yes | Yes | Yes |
IDEA-CBC-SHA | Yes | Yes | Yes |
ECDHE-RSA-RC4-SHA | Yes | Yes | |
RC4-SHA | Yes | Yes | Yes |
RC4-MD5 | Yes | Yes | Yes |
Generally speaking, for security reasons, SHA-1 is preferable, although you may not be able to use it for client compatibility reasons. Avoid using:
• SSL 3.0 or TLS 1.0 (both enabled by default)
• Older hash algorithms, such as MD5. To disable MD5, for SSL/TLS encryption level, select High.
• Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES (for example, to protect clients with incorrect CBC implementations for AES and DES, configure
Prioritize RC4 Cipher Suite.)
• Encryption bit strengths less than 128
• Older styles of renegotiation (These are vulnerable to man-in-the-middle (MITM) attacks.)
SSL inspection cipher suites and protocols (offline and transparent inspection)
In transparent inspection and offline protection modes, if the client and server communicate using a cipher that FortiWeb does not support, FortiWeb cannot perform the SSL inspection task.
If you are not sure which cipher suites your web server supports, you can use a client-side tool to test. See
“Checking the SSL/TLS handshake & encryption”.
Table 37: Supported ciphers for TLS 1.0 and SSL 3.0
TLS_RSA_WITH_NULL_MD5 |
TLS_RSA_WITH_NULL_SHA |
TLS_RSA_WITH_RC4_128_MD5 |
TLS_RSA_WITH_RC4_128_SHA |
TLS_RSA_WITH_DES_CBC_SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
Table 38: Supported ciphers for SSL 2.0
SSL2_DES_192_EDE3_CBC_WITH_MD5 |
SSL2_RC2_CBC_128_CBC_WITH_MD5 |
SSL2_RC4_128_WITH_MD5 |
SSL2_DES_64_CBC_WITH_MD5 |
SSL2_RC2_CBC_128_CBC_WITH_MD5 |
SSL2_RC4_128_EXPORT40_WITH_MD5 |
See also