Description
This article describes how to strengthen SSL security of a Virtual Server.
Client == (Virtual Server)FortiWeb == Server
Scope
FortiWeb 5.3.3 and higher.
Solution
Configuration GUI.
Configure Server Policy, where you use the Virtual Server for which you want to strengthen the SSL security, as follows:
The same can be done through CLI:
config server-policy policy
edit <policy name>
set hsts-header enable
set hsts-max-age 15552000
set ssl-v3 disable
set ssl-cipher high
set ssl-pfs enable
set ssl-noreg enable
end
After the changes have been made, it is possible to test the security of the Virtual Server for example on https://www.ssllabs.com/ssltest/. If everything is configured correctly the rating received should be A-.
Configure Server Policy, where you use the Virtual Server for which you want to strengthen the SSL security, as follows:
The same can be done through CLI:
config server-policy policy
edit <policy name>
set hsts-header enable
set hsts-max-age 15552000
set ssl-v3 disable
set ssl-cipher high
set ssl-pfs enable
set ssl-noreg enable
end
After the changes have been made, it is possible to test the security of the Virtual Server for example on https://www.ssllabs.com/ssltest/. If everything is configured correctly the rating received should be A-.
Note: Versions prior 5.3.5 do have a memory leak in 'proxyd' caused by Perfect Forward Secrecy feature (#0268053), workaround on those versions is to disable the feature by:
config server-policy policy
set ssl-pfs disable
end
And restart 'proxyd' by:
diag sys kill 9
