Monday 1 December 2014

How-to: Disable SSLv3 on Fortinet devices

With the release of the POODLE vulnerability, Fortinet have released a great article on howto disable SSLv3 on all the Fortinet devices that are affected.

The list goes on to include:

  • FortiGate
  • FortiMail
  • FortiAnalyzer
  • FortiManager
  • FortiAuthenticator
  • FortiCache
  • FortiWeb
  • FortiDDOS
  • FortiADC-D
  • FortiClient
  • FortiVoice-Enterprise
  • FortiRecorder
  • FortiDB
  • FortiSwitchOS
  • FortiSwitch ATCA
Fortunately disabling SSLv3 is very simple on all devices, with some just requiring an upgrade.

I won't go into detail on howto disable SSLv3 on every box as it's covered in the article linked above. I just wanted to go through on how you can test to ensure that SSLv3 has been disabled once you've made the configuration change.

For this test I'll be disabling SSLv3 on my FortiWeb.

First lets see what ciphers the FortiWeb is presenting before I make any changes. For this I use the following nmap command: nmap --script ssl-enum-ciphers -p 443 hostname

root@kali:~# nmap --script ssl-enum-ciphers -p 443 www.wglab.com.au

Starting Nmap 6.46 ( http://nmap.org ) at 2014-12-01 10:50 EST
Nmap scan report for www.wglab.com.au (203.219.221.181)
Host is up (0.026s latency).
rDNS record for 203.219.221.181: 203-219-221-181.static.tpgi.com.au
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

As per above we can see that SSLv3 has been enabled with 10 ciphers configured.

Now let's disable SSLv3 on the FortiWeb using the commands found in the link above.

web $ config system advanced
web (advanced) $ set no-sslv3 enable
web (advanced) $ end
web $ config system global
web (global) $ set no-sslv3 enable
web (global) $ end

Once this is complete I run the nmap command to confirm the changes have taken effect.

root@kali:~# nmap --script ssl-enum-ciphers -p 443 www.wglab.com.au

Starting Nmap 6.46 ( http://nmap.org ) at 2014-12-01 10:54 EST
Nmap scan report for www.wglab.com.au (203.219.221.181)
Host is up (0.037s latency).
rDNS record for 203.219.221.181: 203-219-221-181.static.tpgi.com.au
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_RC4_128_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

As per above, we can now see that no SSLv3 ciphers are being used by the FortiWeb.
Posted by at
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)