Created on 10-09-2018 08:32 AM Edited on 04-12-2022 02:31 PM By Anonymous
Description
Some vulnerability scanners label servers supporting TLS 1.0 as insecure.
TLS 1.0 can only be exploited through the use of old web browsers.
These old browsers will not work with the captive portal if TLS 1.0 is disabled.
Therefore, TLS 1.0 and 1.1 is enabled by default for greater compatibility purposes.
This describes how to disable TLS 1.0 and TLS1.1 when accessing the captive portal over port 443.
Execute the following CLI openssl command in the Application Server to verify whether these protocols are enabled:
TLS 1.0.
openssl s_client -connect <fully qualified domain name of server>:443 -tls1
TLS 1.1.
openssl s_client -connect <fully qualified domain name of server>:443 -tls1_1
Example in case TLS1.0 is already DISABLED - no certificate is returned on forced TLS 1.0 negotiation.
> openssl s_client -connect portal.forti.lab:443 -tls1 | more
140519370442640:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1493:SSL alert n
140519370442640:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
---
For example, if TLS1.1 is ENABLED.
If a certificate is returned, then the protocol is enabled (this certificate additionally has two more problems: It is expired and self-signed).
> openssl s_client -connect portal.forti.lab:443 -tls1_1 | more
depth=0 CN = portal
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = portal
verify error:num=10:certificate has expired
notAfter=Mar 3 18:17:35 2018 GMT
verify return:1
depth=0 CN = portal
notAfter=Mar 3 18:17:35 2018 GMT
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=portal
i:/CN=portal
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICnjCCAYYCCQCoQtIdrBTXHDANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDDAZw
…
To see all offered ciphers and IF the use of NMAP is allowed, this can also be used:
nmap --script ssl-enum-ciphers -p 443 portal.forti.lab
Example of only TLS1.2 enabled, while TLS1.0 and TLS1.1 are not offered:
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Scope
- FortiNAC Control and Application Server (CA).
- FortiNAC Application Server.
Version: 8.x on CentOS 7 platforms.
TLS 1.0 or TLS 1.1 cannot be disabled in CentOS5 because when CentOS5 was compiled in 2013, the flags indicating TLS 1.1 and 1.2 even exist, were not enabled.
Solution
Disable TLSv1 and TLSv1.1 for the captive portal. Contact Support for assistance. The required changes cannot be done via the UI.
Note: TLS 1.3 cannot be enabled in the portal on CentOS 7 appliances.
Related Articles
Technical Tip: Disable TLS 1 and TLS 1.1 for the Admin UI on port 8443
Technical Note: Disable TLS 1 and TLS 1.1 for the Persistent Agent
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.