A Cipher suite is a collection of encryption and authentication algorithms that two participants in secure communication can select from to negotiate a secure transaction.
FortiOS uses cipher suites to select encryption and authentication algorithms to use for SSL VPN, IPsec VPN, SSL inspection, SSL offloading, administrator authentication, user authentication, secure communication with FortiGuard, and so on. Each of these secure transactions selects the encryption and authentication algorithms to use for the transaction from the cipher suites supported for that transaction.
The cipher suites available for each transaction vary depending on the software settings and on the FortiGate hardware platform.
Here is the list of cipher suites available on most FortiGate hardware platforms for FortiOS 5.6.3:
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256
TLS-ECDHE-RSA-WITH-RC4-128-SHA
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-DHE-RSA-WITH-DES-CBC-SHA
TLS-DHE-DSS-WITH-DES-CBC-SHA
TLS-RSA-WITH-DES-CBC-SHA
Viewing the cipher suites supported by your FortiGate
You can use the following command to view the cipher sites that are available on your FortiGate. This command is used to select the cipher suites to apply to SSL offloading. Other implements that require cipher suites may support a subset of this list.
config firewall vip
edit <vip-name>
set type server-load-balance
set server-type https
set ssl-algorithm custom
config ssl-cipher-suites
edit 1
set cipher ?
The post FortiOS 5.6.3 Supported Cipher Suites appeared first on Fortinet Cookbook.