DescriptionThis article shows how to use the open source program cURL to test connectivity to (or through) FortiGate using various cipher suites. This is useful when doing vulnerability assessments, and can confirm whether the FortiGate allows connections to be made using a specific version of the SSL/TLS protocol and chosen cipher suite.
ScopeFortiGate HTTPS Management IP Address
FortiGate SSL VPN Portal IP Address
HTTPS Website Protected by FortiGate/FortiWeb
Solution1) Download and install a pre-compiled version of cURL for your operating system. A popular version for Windows is called “cURL for Windows”. Alternatively, you can compile cURL yourself.
2) Determine the IP address and port number to which a connection is to be made. This can be the IP and port number of the FortiGate management address, SSL VPN, or a server behind the FortiGate.
3) Determine the version of TLS/SSL to be tested, as well as what ciphers.
4) Test with cURL using the parameters determined above.
Example 1: Testing the FortiGate SSL VPN interface for SSLv3 (any cipher suite)
curl https://10.0.0.5:10443 -k -v --location-trusted --sslv3
…
[output removed]
…
alert handshake failure (connection is NOT accepted)
Example 2: Testing the FortiGate management interface for TLSv1.2 using the 3DES bulk cipher/encryption algorithm
curl https://10.0.0.1:443 -k -v --location-trusted --tlsv1.2 --ciphers 3DES
…
[output removed]
…
* Connection #0 to host 10.0.0.1 left intact (connection is accepted)
Example 3: Testing FortiGate SSLVPN for TLSv1.2 using the cipher suite AECDH-AES128-SHA
curl https:// 10.0.0.5:10443 -k -v --location-trusted --tlsv1.2 --ciphers AECDH-AES128-SHA
…
[output removed]
…
* Connection #0 to host 10.0.0.1 left intact (connection is accepted)
Note that cURL uses OpenSSL, it therefore requires their terminology when selecting cipher suites for testing. AECDH-AES128-SHA is the OpenSSL terminology for the RFC name TLS_ECDH_anon_WITH_AES_128_CBC_SHA.
Related Articles
Technical Note: How to verify if a web page is cache-able using cURL