SSL offloading support or Internet Explorer 6
In some cases the Internet Explorer 6 web browser may be able to access real servers. To resolve this issue, disable the ssl-send-empty-frags option:
config firewall vip edit vip_name
set ssl-send-empty-frags disable end
You can disable this option if SSL acceleration will be used with an old or buggy SSL implementation that cannot properly handle empty fragments.
Selecting the cipher suites available for SSL load balancing
You can use the following command to view the complete list of cipher suites available for SSL offloading:
config firewall vip edit <vip-name>
set type server-load-balance set server-type https
set ssl-algorithm custom config ssl-cipher-suites
edit 0
set cipher ?
In most configurations the matching cipher suite is automatically selected but you can limit the set of cipher suites that are available for a given SSL offloading configuration. For example, use the following command to limit an SSL load balancing configuration to use the three cipher suites that support ChaCha20 and Poly1305:
config firewall vip edit <vip-name>
set type server-load-balance set server-type https
set ssl-algorithm custom config ssl-cipher-suites
edit 1
set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256 next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 next
edit 3
set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256 end
end
Disabling SSL/TLS re-negotiation
The vulnerability CVE-2009-3555 affects all SSL/TLS servers that support re-negotiation. FortiOS when configured for SSL/TLS offloading is operating as a SSL/TLS server. The IETF is working on a TLS protocol change that will fix the problem identified by CVE-2009-3555 while still supporting re-negotiation. Until that protocol change is available, you can use the ssl-client-renegotiation option to disable support for SSL/TLS re-negotiation. The default value of this option is allow, which allows an SSL client to renegotiate. You can change the setting to deny to abort any attempts by an SSL client to renegotiate. If you select deny as soon as a ClientHello message indicating a re-negotiation is received from the client FortiOS terminates the TCP connection.
Since SSL offloading does not support requesting client certificates the only circumstance in which a re- negotiation is required is when more than 2^32 bytes of data are exchanged over a single handshake. If you are sure that this volume of traffic will not occur then you can disable re-negotiation and avoid any possibility of the attack described in CVE-2009-3555.
The re-negotiation behavior can be tested using OpenSSL. The OpenSSL s_client application has the feature that the user can request that it do renegotiation by typing “R”. For example, the following shows a successful re- negotiation against a FortiGate unit configured with a VIP for 192.168.2.100:443:
$ openssl s_client -connect 192.168.2.100:443
CONNECTED(00000003)
depth=1 /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
verify error:num=19:self signed certificate in certificate chain verify return:0
—
Certificate chain
0
s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN=FW80CM3909604325/emailAdd ress=support@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com
—
Server certificate
—–BEGIN CERTIFICATE—–
—certificate not shown—
—–END CERTIFICATE—– subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN=FW80CM3909604325/em
ailAddress=support@fortinet.com issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com
—
No client certificate CA names sent
—
SSL handshake has read 2370 bytes and written 316 bytes
—
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit
Compression: NONE Expansion: NONE SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA Session-ID:
02781E1E368DCCE97A95396FAA82E8F740F5BBA96CF022F6FEC3597B0CC88095
Session-ID-ctx: Master-Key:
A6BBBD8477A2422D56E57C1792A4EA9C86F37D731E67D0A66E5CDB2B5C76650780C0E7F01CFF851EC44661
86F4C48397
Key-Arg : None
Start Time: 1264453027
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
—
GET /main.c HTTP/1.0
R RENEGOTIATING
depth=1 /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
verify error:num=19:self signed certificate in certificate chain verify return:0
HTTP/1.0 200 ok
Content-type: text/plain
/*
* Copyright (C) 2004-2007 Fortinet
*/
#include <stdio.h>
#include “vsd_ui.h”
int main(int argc, char **argv)
{
return vsd_ui_main(argc, argv);
}
closed
$
The following is the same test, but this time with the VIP configuration changed to ssl-client- renegotation deny:
$ openssl s_client -connect 192.168.2.100:443
CONNECTED(00000003)
depth=1 /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
verify error:num=19:self signed certificate in certificate chain verify return:0
—
Certificate chain
0
s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN=FW80CM3909604325/emailAdd ress=support@fortinet.com
i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
1 s:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com i:/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com
—
Server certificate
—–BEGIN CERTIFICATE—–
—certificate not shown—
—–END CERTIFICATE—–
subject=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Fortigate/CN=FW80CM3909604325/em ailAddress=support@fortinet.com
issuer=/C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate
Authority/CN=support/emailAddress=support@fortinet.com
—
No client certificate CA names sent
—
SSL handshake has read 2370 bytes and written 316 bytes
—
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit
Compression: NONE Expansion: NONE SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA Session-ID:
8253331D266DDE38E4D8A04AFCA9CBDED5B1134932CE1718EED6469C1FBC7474
Session-ID-ctx: Master-Key:
ED05A3EF168AF2D06A486362FE91F1D6CAA55CEFC38A3C36FB8BD74236BF2657D4701B6C1456CEB5BB5EFA A7619EF12D
Key-Arg : None
Start Time: 1264452957
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
—
GET /main.c HTTP/1.0
R RENEGOTIATING
19916:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
Use the following command to check the SSL stats to see that the renegotiations blocked counter is now 1:
diagnose firewall vip virtual-server stats ssl ssl
client
connections total 0 active 0 max 0
handshakes total 4 active 0 max 0 completed 4 abbreviated 0 session states total 4 active 4 max 4
cipher-suite failures 0
embryonics total 0 active 0 max 0 terminated 0 renegotiations blocked 1
server
connections total 0 active 0 max 0
handshakes total 3 active 0 max 0 completed 2 abbreviated 1 session states total 1 active 1 max 1
cipher-suite failures 0 internal error 0
bad handshake length 0
bad change cipher spec length 0 pubkey too big 0
persistence
find 0 found 0 clash 0 addr 0 error 0
If the virtual server debug log is examined (diagnose debug appl vs -1) then at the point the re-negotiation is blocked there is a log:
vs ssl 12 handshake recv ClientHello vs ssl 12 handshake recv 1
(0100005403014b5e056c7f573a563bebe0258c3254bbaff7046a461164f34f94f4f3d019c418000026
00390038003500160013000a00330032002f00050004001500120009001400110008000600030201000
00400230000)
vs ssl 12 client renegotiation attempted rejected, abort vs ssl 12 closing 0 up
vs src 12 close 0 in
vs src 12 error closing vs dst 14 error closing vs dst 14 closed
vs ssl 14 close
vs sock 14 free vs src 12 closed vs ssl 12 close vs sock 12 free