Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Hawada1
Staff
Staff

Created on ‎10-09-2018 08:32 AM Edited on ‎04-12-2022 02:31 PM By Anonymous

Article Id 190116

Technical Tip: Disable TLS 1 and TLS 1.1 for captive portal port 443.

Description


Some vulnerability scanners label servers supporting TLS 1.0 as insecure.
TLS 1.0 can only be exploited through the use of old web browsers. 

These old browsers will not work with the captive portal if TLS 1.0 is disabled.
Therefore, TLS 1.0 and 1.1 is enabled by default for greater compatibility purposes. 

This describes how to disable TLS 1.0 and TLS1.1 when accessing the captive portal over port 443.

Execute the following CLI openssl command in the Application Server to verify whether these protocols are enabled:

TLS 1.0.

openssl s_client -connect <fully qualified domain name of server>:443 -tls1

TLS 1.1.

openssl s_client -connect <fully qualified domain name of server>:443 -tls1_1

Example in case TLS1.0 is already DISABLED - no certificate is returned on forced TLS 1.0 negotiation.

 

> openssl s_client -connect portal.forti.lab:443 -tls1 | more
140519370442640:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert n
140519370442640:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None

---

For example, if TLS1.1 is ENABLED.
If a certificate is returned, then the protocol is enabled (this certificate additionally has two more problems: It is expired and self-signed).

> openssl s_client -connect portal.forti.lab:443 -tls1_1 | more
depth=0 CN = portal
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = portal
verify error:num=10:certificate has expired
notAfter=Mar  3 18:17:35 2018 GMT
verify return:1
depth=0 CN = portal
notAfter=Mar  3 18:17:35 2018 GMT
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=portal
   i:/CN=portal
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCCQCoQtIdrBTXHDANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDDAZw

To see all offered ciphers and IF the use of NMAP is allowed, this can also be used:

 

nmap --script ssl-enum-ciphers -p 443 portal.forti.lab

Example of only TLS1.2 enabled, while TLS1.0 and TLS1.1 are not offered:

 

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:  
|   TLSv1.2:  
|     ciphers:  
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:  
|       NULL
|     cipher preference: server
|_  least strength: A


Scope


- FortiNAC Control and Application Server (CA).
- FortiNAC Application Server.

Version: 8.x on CentOS 7 platforms.

TLS 1.0 or TLS 1.1 cannot be disabled in CentOS5 because when CentOS5 was compiled in 2013, the flags indicating TLS 1.1 and 1.2 even exist, were not enabled.

Solution

Disable TLSv1 and TLSv1.1 for the captive portal. Contact Support for assistance.  The required changes cannot be done via the UI.

 

Note:  TLS 1.3 cannot be enabled in the portal on CentOS 7 appliances.

 

 

Related Articles

Technical Tip: Disable TLS 1 and TLS 1.1 for the Admin UI on port 8443

Technical Note: Disable TLS 1 and TLS 1.1 for the Persistent Agent

Labels:
8271
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.