DescriptionFortiOS versions prior to 5.4 did not allow an administrator to disable specific ciphers such as 3DES.
3DES has been found to be vulnerable to birthday attacks (CVE-2016-2183).
This KB article provides the CLI configuration to disable 3DES for SSL-VPN.
Ability to disable specific ciphers for SSL-VPN was added as of FortiOS 5.4
SolutionThe below CLI allows to disable 3DES for SSL-VPN:
config vpn ssl settings
set banned-cipher 3DES
end
List of cryptographic primitives (cipher, hash, key-exchange, signature) which can be disabled:
config vpn ssl settings
set banned-cipher ?
RSA Ban the use of cipher suites using RSA key.
DH Ban the use of cipher suites using DH.
DHE Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH Ban the use of cipher suites using ECDH key exchange.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES
SHA1 Ban the use of cipher suites using SHA1.
SHA256 Ban the use of cipher suites using SHA256.
SHA384 Ban the use of cipher suites using SHA384.
