FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff
Article Id 197091

Description
Some vulnerability scanners label servers supporting TLS 1.0 as insecure.
TLS 1.0 can only be exploited through the use of old web browsers. 

These old browsers won't work with the Admin UI, if TLS 1.0 is disabled.
Therefore, TLS 1.0 and 1.1 is enabled by default for greater compatibility purposes. 

This article describes how to disable TLS 1.0 and TLS1.1 when accessing the for the Admin UI over port 8443.


Execute the following CLI openssl command in the Control Server (or combined Control and Application server or Control Manager) to verify whether these protocols are enabled:

TLS 1.0.

openssl s_client -connect <fully qualified domain name of server>:8443 -tls1

TLS 1.1.

openssl s_client -connect <fully qualified domain name of server>:8443 -tls1_1

Example in case TLS1.0 is already DISABLED - no certificate is returned on forced TLS 1.0 negotiation.

> openssl s_client -connect nac1.forti.lab:8443 -tls1 | more
140519370442640:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert n
140519370442640:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None

---

Example if TLS1.1 is ENABLED.
If a certificate is returned, then the protocol is enabled (this certificate additionally has two more problems: It is expired and self-signed).

> openssl s_client -connect nac1.forti.lab:8443 -tls1_1 | more
depth=0 CN = portal
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = portal
verify error:num=10:certificate has expired
notAfter=Mar  3 18:17:35 2018 GMT
verify return:1
depth=0 CN = portal
notAfter=Mar  3 18:17:35 2018 GMT
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=portal
   i:/CN=portal
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCCQCoQtIdrBTXHDANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDDAZw

To see all offered ciphers and IF the use of NMAP is allowed, this can also be used:

nmap --script ssl-enum-ciphers -p 8443 nac1.forti.lab


Example of only TLS1.2 enabled, while TLS1.0 and TLS1.1 are not offered:

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:  
|   TLSv1.2:  
|     ciphers:  
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:  
|       NULL
|     cipher preference: server
|_  least strength: A


Scope
Version: 8.x on CentOS 7 platforms

TLS 1.0 or TLS 1.1 cannot be disabled in CentOS5 because when CentOS5 was compiled in 2013, the flags indicating TLS 1.1 and 1.2 even exist, were not enabled.

For:

- FortiNAC Control and Application Server (CA).
- FortiNAC Control Server.
- FortiNAC Control Manager.

Solution
Workaround.
Must be executed via Control Server CLI.  Contact Support for assistance.

Note.
This change must be done after every upgrade.


Solution.
TLS 1.0 and TLS 1.1 are disabled by default in versions 8.8.6, 9.1.0 and above.


To re-enable, contact Support for assistance.

Note.
Change must be done after every upgrade.

Contributors