By default, the settings for a Fortigate virtual server are not considered secure on this website : https://internet.nl/site/ or https://www.ssllabs.com/ssltest/analyze.html
Current FortiOS version is 6.4.4 so custom ciphers should not be used, as the traffic is not processed afterwards (bug ?)
The list :
TLS 1.1 phased out
cyphers phased out :
- ECDHE-ECDSA-DES-CBC3-SHA[1.0]
- ECDHE-RSA-DES-CBC3-SHA[1.0]
- DHE-RSA-DES-CBC3-SHA[1.0]
- AES256-GCM-SHA384[1.2]
- AES128-GCM-SHA256[1.2]
- AES256-SHA256[1.2]
- AES256-SHA[1.0]
- AES128-SHA256[1.2]
- AES128-SHA[1.0]
- DES-CBC3-SHA[1.0]
DH-2048 Key exchange phased out
Client-initiated renegotiation
Here are the settings to avoid it :
conf firewall vip
edit <vip_name>
set ssl-dh-bits 3072set ssl-algorithm custom
config ssl-cipher-suites
edit 1
set cipher TLS-AES-256-GCM-SHA384
set versions tls-1.2 tls-1.3
next
edit 2
set cipher TLS-CHACHA20-POLY1305-SHA256
set versions tls-1.2 tls-1.3
next
edit 3
set cipher TLS-AES-128-GCM-SHA256
set versions tls-1.2 tls-1.3
next
edit 4
set cipher TLS-AES-256-GCM-SHA384
set versions tls-1.2 tls-1.3
next
edit 5
set cipher TLS-CHACHA20-POLY1305-SHA256
set versions tls-1.2 tls-1.3
next
edit 6
set cipher TLS-AES-128-GCM-SHA256
set versions tls-1.2 tls-1.3
next
end
set ssl-min-version tls-1.2
set ssl-client-renegotiation deny
end
end 
 
Aucun commentaire:
Enregistrer un commentaire