11.3 SSL Acceleration Configuration
11.3.1 Configuration Guidelines
Before we get started, let’s explain the terminologies used extensively throughout this chapter.
Virtual Host: An SSL host associated with an SLB virtual. An SSL virtual host acts as an SSL server and is used to communicate by using SSL between browser and FortiBalancer appliance.
Real Host: An SSL host associated with an SLB real. An SSL real host acts as an SSL client and is used to communicate by using SSL between FortiBalancer appliance and backend origin server.
Origin Server: A backend server that will accept clear-text or encrypted requests.
Clear-text: Any traffic that is not encrypted.
Virtual Host Port: The port that SSL virtual host will listen on. Typically port 443 is used.
Key (private): A private key that is stored on the FortiBalancer appliance for PKI (Public Key
Infrastructure) authentication purposes. FortiBalancer appliance supports keys up-to 2048 bits in size.
Certificate: This is used for authentication purpose and to help set up secure communications between the appliance and the browser.
Certificate Authority (CA): A certificate authority is an entity that will create a certificate from a CSR (Certificate Signing Request).
Trusted Certificate Authority: Current Web Browsers have a list of known CA’s public keys that are used to verify certificates authenticity. If the browser cannot identify the CA it will inform the user as such. In a similar manner the FortiBalancer appliance also maintains a list of Trusted Certificate Authorities to verify certificates.
For our example environment, we have a domain name of “www.example.com”. For our SSL purposes we will be using “www.example.com” as our SSL virtual host. This SSL virtual host is associated with an SLB virtual host using IP 10.10.0.10 and port 443.
SSL virtual Host: www.example.com
SLB virtual Host IP: 10.10.0.10
SLB virtual Host Port: 443
There are two methods for setting up SSL acceleration. The first method applies if you have never set up SSL, and you will need to walk through the whole process of setting up the SSL virtual host and generation of a CSR to send to the CA of your choice. The CA will send you a signed certificate that you will then import. The second method applies if you already have a key and certificate, and you can skip the CSR step and import your key and certificate. Let’s go ahead and setup SSL as though we have never set it up.
Table 11-2 General Settings of SSL
Operation | Command |
Create an SSL virtual host | slb virtual https <virtual_name> <vip> [vport] [arp|noarp] [max_conn] ssl host {real|virtual} <host_name> <slb_service> |
Import certificate and key for SSL virtual host | ssl csr <virtual_host_name> [key_length]
ssl import certificate <host_name> [cert_index] [tftp_ip] [file_name] ssl import key <host_name> [cert_index] [tftp_ip] [file_name] ssl activate certificate <host_name> [cert_index] |
Create an SSL real host | slb real https <real_name> <ip> [port] [max_conn]
[https|tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up] [hc_down] slb real tcps <real_name> <ip> <port> [max_conn] [tcp|tcps|icmp|script-tcp|script-udp|script-tcps|sip-tcp|sip-udp|dns] [hc_up] [hc_down] ssl host {real|virtual} <host_name> <slb_service> |
Advanced
configuration for an SSL virtual host |
ssl stop <host_name>
ssl settings ciphersuite <host_name> <cipher_string> ssl settings protocol <host_name> <version> ssl settings reuse < host_name> ssl settings clientauth <host_name> ssl settings certfilter <vhost_name> <filter1> [filter2] ssl import rootca [virtual_host_name] [tftp_ip] [filename] ssl settings crl offline <virtual_host_name > <crldp_name> <crldistribution_point> [time_interval] [delay_time] ssl settings crl online <virtual_host_name> ssl settings ocsp <virtual_host_name> <ocsp server> ssl settings minimum <virtual_host_name> <key_size> <url> ssl start <host_name> ssl import error <error_code> <url> [virtual_host_name] ssl load error <error_code> [virtual_host_name] |
Advanced
configuration for an SSL real host |
ssl settings ciphersuite <host_name> <cipher_string> ssl settings protocol <host_name> <version> ssl settings reuse <host_name> ssl settings clientauth <host_name>
ssl import rootca [virtual_host_name] [tftp_ip] [filename] ssl settings servername <real_host_name> <ssl_server_common_name> |
11.3.2 Configuration Example via CLI
11.3.2.1 Creating an SSL Virtual Host
To do this, first we will employ an SLB related command. This command will create the SLB virtual service. The second step is to use the “ssl host virtual <host_name> <slb_service>” command to define our SSL virtual host.
FortiBalancer(config)#slb virtual https virtual1https 10.10.0.10 443
FortiBalancer(config)#ssl host virtual www.example.com virtual1https
In the above example, please note that “virtual1https” is our newly created SLB virtual service.
Now you may move on to importing your certificate.
11.3.2.2 Importing Certificate and Key for the Newly Created SSL
Virtual Host
If you do not have a certificate and key pair, FortiBalancer appliance provides with you the facility to create a key pair and CSR for your newly configured SSL virtual host. The FortiBalancer appliance also creates a test certificate that can be used for either testing or evaluation purposes.
Ø Step 1 Use FortiBalancer appliance to create a CSR for the newly created SSL virtual host
The first step is to use the “ssl csr <virtual_host_name> [key_length]” command to generate a CSR to send to your CA. After this command is employed, the appliance will prompt you for additional information. (The information in bold typeface represents answer examples.)
FortiBalancer(config)#ssl csr www.example.com
We will now gather some required information about your ssl virtual host, This information is encoded into your certificate Two character country code for your organization (e.g. US): US State or province []: CA Location or local city []: San Jose Organization Name: Example.com Organizational Unit: Example.com Organizational Unit []: Organizational Unit []: Do you want to use the virtual host name “www.example.com” as the Common Name (recommended)?(Y/N): Y Email address of administrator []: admin@example.com Do you want the private key to be exportable [Yes/(No)]: Enter passphrase for the private key: Confirm passphrase for the private key:
—–BEGIN CERTIFICATE REQUEST—– MIIB5TCANU4ANQAwgaQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTERMA8GA1 UEBxMIU2FuIEpvc2UxFDASBgNVBAoTC0V4YW1wbGUuY29tMRQwEgYDVQQLEwtFeG FtcGxlLmNvbTEnMCUGA1UEAxMec3NsLXRlc3QucHBiLmFycmF5bmV0d29ya3MubmV0M SAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTCBnzANBgkqhkiG9w0BAQEFAA OBjQAwgYkCgYEApk18ozLXGEpJS69BvtfNLcBEjoO82+QWRtH4CtIVJYCEOIAlQXQPWs NNN2A74AOW2wkm3f7leSEf2fPI/U6ScHYm8dz2OT523XdDZ/yqmQNwRwTz3NC0sNtXKR g9WD9fPMgr6grdBCEH2eVcRdDK8EIXIFrlhXmz+UTxA9y92gMANwEAAaAAMA0GCSqG SIb3DQEBBAUAA4GBAJCZiGnJ3AHcpuapkjbr31Qr9+1eHl/V6TOesQS/gOlxbOug00T7HndIo 32dZ9vnyGZqNd4CVg9rfFfQWuk09XfDSXdvEFU9ZzedNEr1d5ujbQv8pCsrNIlkHDPDF4Hs2r e1ZJeSDpnEEj1EFAFaEyW452C8v4uGjCe2nrgrksgN —–END CERTIFICATE REQUEST—– |
This command creates a CSR for the SSL virtual, which will be sent to a CA for signing. This CSR uses the public key from the public-private key pair of the SSL virtual host, which was generated at the time of creating this SSL virtual host.
Note: This command also creates a test certificate for the SSL virtual host. The test certificate generated by the “ssl csr” command should not be used for production systems, rather only for testing purposes. The OS will check the certificate chain for the SSL virtual host when starting the virtual host. A warning message, stating that the certificate chain is incomplete, will be printed on console for the test certificate.
If you would like to use the test certificate for testing/demonstration purposes, this is the point where you may start the SSL subsystem:
FortiBalancer(config)#ssl start www.example.com
The FortiBalancer appliance is configured to take full advantage of the SSL functionality within the OS. Administrators should be able to connect securely to the site by using a Web browser.
Ø Step 2 Forward CSR to a CA
To perform this task, simple cut from “—–BEGIN CERTIFICATE REQUEST—-” line down to the “—-END CERTIFICATE REQUEST—–”. Your CA needs these lines in order to expedite your request for a certificate. This process can take up to two days depending on verification. You will typically get an email back that looks like:
—–BEGIN CERTIFICATE—–
MIICnjCANgcANgEUMA0GCSqGSIb3DQEBBAUAMIG5MQswCQYDVQQGEwJVUzETMB EGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHDAaBgNVBAoTE0
NsaWNrQXJyYXkgTmV0d29ya3MxFDASBgNVBAsTC0RldmVsb3BtZW50MSMwIQYDVQ
QDExpkZXZlbG9wbWVudC5jbGlja2FycmF5LmNvbTEpMCcGCSqGSIb3DQEJARYaZGV2Z
WxvcG1lbnRAY2xpY2thcnJheS5jb20wHhcNMDIwMjEzMTgwMTI5WhcNMDMwMjA4MTgw
MTI5WjB0MQswCQYDVQQGEwJVUzEMMAoGA1UECBMDRE9EMQwwCgYDVQQHEw
NET08xCzAJBgNVBAoTAkRPMQswCQYDVQQLEwJETzETMBEGA1UEAxMKMTAuMTIu MC4xNDEaMBgGCSqGSIb3DQEJARYLbWhAZGtkay5jb20wgZ8wDQYJKoZIhvcNAQEBBQ ADgY0AMIGJAoGBAMx4r+ae4kTZggtyU047OsKUyqCt+V1MHgTPTpVxdtxYhSTSOZwYIX gRqBEdJvs2/ua1XZRzLOCTa58VI/8I3derAPqz79WpBRsxD25rCT1rzmalfkTea3V8jHJYP6Yin DTWKFKztxeUclkzukzPUZO6M0fI5ToXNuLEe+IwvOkfAgMBAAEwDQYJKoZIhvcNAQEEB QADgYEAodV5O0LKUr/O0BbxOnwmyP/DkLj4bpe9XxQO6B4psDey/+xBHs6tgGKuy8spbcJ4 pQc+5KLydK1ZYcTkbxJq41K4RHM11OClXVjm3xRhqKQnjzNboExIvkZsKIBbfLkBrM1eBnE aiYWXmsYGfxPkwdhKlQCLQgN+G3IKu2cRQLU=
—–END CERTIFICATE—–
Warning: It is imperative that you do not delete the SSL virtual host before you import the certificate you received from your CA. If you clear your SSL information you will have to send another CSR to your CA to get another certificate. Fortunately most CAs give you a 30day trial period to get another certificate if something goes wrong. If it is past the 30day mark you might have to pay for another certificate. Be very careful when manipulating any SSL configurations on the FortiBalancer appliance.
Once you have received the certificate you can import it into the SSL subsystem. To perform this task, simple cut from “—–BEGIN CERTIFICATE —-” line down to the “—-END CERTIFICATE—–”. It is important to follow the instructions as supplied by the appliance to terminate the import.
FortiBalancer(config)#ssl import certificate www.example.com 1
You may overwrite an existing certificate file, type “YES” without quotes to continue: YES Enter the certificate file in PEM format, use “…” on a single line, without quotes to terminate import
—–BEGIN CERTIFICATE—–
MIICnjCANgcANgEUMA0GCSqGSIb3DQEBBAUAMIG5MQswCQYDVQQGEwJVUzETMB EGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHDAaBgNVBAoTE0
NsaWNrQXJyYXkgTmV0d29ya3MxFDASBgNVBAsTC0RldmVsb3BtZW50MSMwIQYDVQ
QDExpkZXZlbG9wbWVudC5jbGlja2FycmF5LmNvbTEpMCcGCSqGSIb3DQEJARYaZGV2Z
WxvcG1lbnRAY2xpY2thcnJheS5jb20wHhcNMDIwMjEzMTgwMTI5WhcNMDMwMjA4MTgw
MTI5WjB0MQswCQYDVQQGEwJVUzEMMAoGA1UECBMDRE9EMQwwCgYDVQQHEw
NET08xCzAJBgNVBAoTAkRPMQswCQYDVQQLEwJETzETMBEGA1UEAxMKMTAuMTIu MC4xNDEaMBgGCSqGSIb3DQEJARYLbWhAZGtkay5jb20wgZ8wDQYJKoZIhvcNAQEBBQ ADgY0AMIGJAoGBAMx4r+ae4kTZggtyU047OsKUyqCt+V1MHgTPTpVxdtxYhSTSOZwYIX gRqBEdJvs2/ua1XZRzLOCTa58VI/8I3derAPqz79WpBRsxD25rCT1rzmalfkTea3V8jHJYP6Yin DTWKFKztxeUclkzukzPUZO6M0fI5ToXNuLEe+IwvOkfAgMBAAEwDQYJKoZIhvcNAQEEB QADgYEAodV5O0LKUr/O0BbxOnwmyP/DkLj4bpe9XxQO6B4psDey/+xBHs6tgGKuy8spbcJ4 pQc+5KLydK1ZYcTkbxJq41K4RHM11OClXVjm3xRhqKQnjzNboExIvkZsKIBbfLkBrM1eBnE aiYWXmsYGfxPkwdhKlQCLQgN+G3IKu2cRQLU=
—–END CERTIFICATE—–
Also you can import a certificate file from a remote machine running the TFTP service. The file name defaults to <Host name>.crt. In our case, the file name is “www.example.com.crt”.
FortiBalancer(config)#ssl import certificate www.example.com 1 10.10.13.82 www.example.com.crt
You may overwrite an existing certificate file, type “YES” without quotes to continue: YES
After importing the certificate successfully, you will get a response from the CLI prompt. Then you can activate the certificate via the following command “ssl activate certificate <host_name> [cert_index]”. For example:
SJ-Box1(config)#ssl activate certificate www.example.com 1
And then you can start up the SSL:
FortiBalancer(config)#ssl start www.example.com
Now we have a functioning SSL accelerated site. If this example is a real site configuration, you will be able to connect securely to the site by using your Web browser.
Note: The OS will check the certificate chain for the SSL virtual host when enabling the virtual host. A warning message, stating that the certificate chain is incomplete, will be printed on console for the certificate if any of the certificates for its root CA and intermediate CAs cannot be found in the host’s intermediate CA file or the global trusted CA file. These certificates can be imported by using the “ssl import rootca” and “ssl import interca <vhostname>” commands.
If you already have a key and certificate pair from a trusted certificate authority, you can easily import them into the FortiBalancer appliance. This can be done by using the “ssl import key” and “ssl import certificate” commands.
Ø Step 1 Use existing certificate and key for newly created SSL virtual host
FortiBalancer(config)#ssl import key www.example.com 1
You may overwrite an existing key file. This may require you to purchase a new certificate type “YES” without quotes to continue: YES
After you execute this command the appliance will ask you to cut and paste your existing key directly into the CLI. Make absolutely certain to follow the instructions as put forth by the appliance.
Also you can import a key file from a remote machine running the TFTP service. The file name defaults to <Host name>.key. In our case, the file name is “www.example.com.key”.
FortiBalancer(config)#ssl import key www.example.com 1 10.10.13.82 www.example.com.key You may overwrite an existing key file. This may require you to purchase a new certificate type “YES” without quotes to continue: YES
Then we will proceed with importing the certificate:
FortiBalancer(config)#ssl import certificate www.example.com 1 www.example.com.crt
You may overwrite an existing certificate file, type “YES” without quotes to continue: YES Enter the certificate file in PEM format, use “…” on a single line, without quotes to terminate import.
—–BEGIN CERTIFICATE—–
MIICnjCANgcANgEUMA0GCSqGSIb3DQEBBAUAMIG5MQswCQYDVQQGEwJVUzETMB EGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxHDAaBgNVBAoTE0
NsaWNrQXJyYXkgTmV0d29ya3MxFDASBgNVBAsTC0RldmVsb3BtZW50MSMwIQYDVQ
QDExpkZXZlbG9wbWVudC5jbGlja2FycmF5LmNvbTEpMCcGCSqGSIb3DQEJARYaZGV2Z
WxvcG1lbnRAY2xpY2thcnJheS5jb20wHhcNMDIwMjEzMTgwMTI5WhcNMDMwMjA4MTgw MTI5WjB0MQswCQYDVQQGEwJVUzEMMAoGA1UECBMDRE9EMQwwCgYDVQQHEw
NET08xCzAJBgNVBAoTAkRPMQswCQYDVQQLEwJETzETMBEGA1UEAxMKMTAuMTIu MC4xNDEaMBgGCSqGSIb3DQEJARYLbWhAZGtkay5jb20wgZ8wDQYJKoZIhvcNAQEBBQ ADgY0AMIGJAoGBAMx4r+ae4kTZggtyU047OsKUyqCt+V1MHgTPTpVxdtxYhSTSOZwYIX gRqBEdJvs2/ua1XZRzLOCTa58VI/8I3derAPqz79WpBRsxD25rCT1rzmalfkTea3V8jHJYP6Yin DTWKFKztxeUclkzukzPUZO6M0fI5ToXNuLEe+IwvOkfAgMBAAEwDQYJKoZIhvcNAQEEB QADgYEAodV5O0LKUr/O0BbxOnwmyP/DkLj4bpe9XxQO6B4psDey/+xBHs6tgGKuy8spbcJ4 pQc+5KLydK1ZYcTkbxJq41K4RHM11OClXVjm3xRhqKQnjzNboExIvkZsKIBbfLkBrM1eBnE aiYWXmsYGfxPkwdhKlQCLQgN+G3IKu2cRQLU=
—–END CERTIFICATE—–
Note: You must import the key and then import the certificate. The FortiBalancer appliance supposes that the key is imported first.
After importing the certificate successfully, you will get a response from the CLI prompt. Then you can activate the certificate via the command “ssl activate certificate <host_name> [cert_index]”. For example:
SJ-Box1(config)#ssl activate certificate www.example.com 1
Then we can start the SSL subsystem:
FortiBalancer(config)#ssl start www.example.com
Now the FortiBalancer appliance is configured to take full advantage of the SSL functionality within the OS. At this point, administrators should be able to connect securely to the site by using a Web browser.
The FortiBalancer appliance allows you to import PEM (Privacy Enhanced Mail) formatted certificate and key through a cut and paste method via the CLI or web UI. If you have a “Non-PEM” formatted certificate and key pair, you will need to import the certificate and key via TFTP. This is explained in the following section.
Import Certificate and Key from IIS and NS iPlanet Web Servers
IIS
If you are using the Microsoft IIS server, the FortiBalancer appliance will allow you to import the certificate from IIS versions 4 and 5 through TFTP mechanism. IIS stores the SSL key and certificate in the same file. This file is in .PFX format. You need to put this file onto a TFTP server in its TFTP root directory and rename it as <host_name>.crt. This file then can be imported into FortiBalancer appliance through the “ssl import certificate” command. This command takes TFTP server IP as an extra argument.
FortiBalancer(config)#ssl import certificate www.example.com 1 10.10.0.3
This command will download a file that is named <host_name>.crt. In our case it is “www.example.com.crt” from the TFTP server (10.10.0.3).
After importing the certificate successfully, you will get a response from the CLI prompt. Then you can activate the certificate via the command “ssl activate certificate <host_name> [cert_index]”. For example:
SJ-Box1(config)#ssl activate certificate www.example.com 1
Once the certificate and key import is successful through TFTP server, you need to start the SSL service with the “ssl start” command.
FortiBalancer(config)#ssl start www.example.com
Netscape/iPlanet
If you are using the Netscape or iPlanet servers, the FortiBalancer appliance will also allow you to import the certificate and key. The iPlanet server stores the key/cert pair in the directory /<serverroot>/alias/ where <serverroot> is the directory where the server is installed. In that directory there will be two files of the form <serverid-hostname>-key3.db and
<serverid-hostname>-cert7.db. You will need to copy the first file to your TFTP server’s root directory and name it the same as your virtual host with a .key extension. The cert will be the same, but with a .crt extension. These have to be exact, or the SSL subsystem will not load them correctly.
Now we can import the certificate and key.
FortiBalancer(config)#ssl import key www.example.com 1 10.10.0.3 www.example.com.key
This command imports the key from 10.10.0.3 with the file name “www.example.com.key”.
Note: You must first import the certificate and then import the key when importing an SSL cert/key pair from iPlanet.
FortiBalancer(config)#ssl import certificate www.example.com 1 10.10.0.3 www.example.com.crt
This command imports the certificate from 10.10.0.3 with the filename “www.example.com.crt”.
Once the key is imported, theOS will ask you for a password. This password is the one you use for the database password on the iPlanet server.
After importing the certificate successfully, you will get a response from the CLI prompt. Then you can activate the specific certificate via the command “ssl activate certificate <host_name> [cert_index]”. For example:
SJ-Box1(config)#ssl activate certificate www.example.com 1
Then we can start the SSL subsystem:
FortiBalancer(config)#ssl start www.example.com
Now the FortiBalancer appliance is configured to take full advantage of the SSL functionality within the OS.
IMPORTANT: In this section we have created an SLB virtual service and configured SSL for it. This SLB virtual service is now ready to be used, and need to be linked with one or more SLB real services so that the SLB module can complete the SSL requests coming to this SLB virtual. To get information on “How to associate an SLB virtual with an SLB real”, please refer to the SLB configuration section.
11.3.2.3 Creating an SSL Real Host
The FortiBalancer appliance allows you to use the SSL subsystem to talk to SSL enabled real servers. This allows an encrypted transaction between the OS and the backend servers.
Configuration of SSL real host is very simple and can be explained as follows:
The first step in this procedure is to define the SLB real service. To do this first we will employ an SLB related command. This command will create the SLB real service. The second step is to use the “ssl host” command to define the SSL real host.
For the definition and meaning of each parameter supplied in this command, please refer to the SLB CLI section of CLI Reference.
FortiBalancer(config)#slb real https real1https 192.168.1.20 443 tcps
FortiBalancer(config)#ssl host real www.myreal.com real1https
In the above example, please note that “real1https” is our newly created SLB real service, which represents a backend server running on IP 192.168.1.20 and port 443 and is capable of handling SSL requests. As a final step, we can start the SSL subsystem:
FortiBalancer(config)#ssl start www.myreal.com
Now the FortiBalancer appliance is configured to take full advantage of the SSL functionality while communicating with the backend server.
IMPORTANT: In this section we have created an SLB real service and configured SSL for it. This SLB real service is now ready to be used, and need to be linked with an SLB virtual service so that the SLB module can direct the traffic to this SSL enabled SLB real service. To get information on “How to associate an SLB real with an SLB virtual” please refer to the SLB configuration section.
11.3.2.4 Advanced SSL Configuration for SSL Virtual Host
You can configure different SSL settings for your SSL virtual host.
- Step 1 Stop SSL virtual host
FortiBalancer(config)#ssl stop www.example.com
This will stop SSL virtual host and will allow you to change SSL settings for this virtual host.
- Step 2 Configure ciphersuites for the SSL virtual host
FortiBalancer(config)#ssl settings ciphersuite “www.example.com” “DES-CBC3-SHA”
The cipher suite settings allow you to define ciphers for this SSL virtual host. The following lists the cipher suites allowed for an SSL virtual host:
Cipher Suites | Bits | Protocols – Virtual Hosts | ||
SSLv3.0 | TLSv1.0 | TLSv1.2 | ||
RC4-MD5 | 128 | √ | √ | √ |
RC4-SHA | 128 | √ | √ | √ |
DES-CBC-SHA | 64 | √ | √ | x |
DES-CBC3-SHA | 192 | √ | √ | √ |
AES128-SHA | 128 | √ | √ | √ |
AES256-SHA | 256 | √ | √ | √ |
AES128-SHA256 | 128 | x | x | √ |
AES256-SHA256 | 256 | x | x | √ |
EXP-RC4-MD5 | 40 | √ | x | x |
EXP-DES-CBC-SHA | 40 | √ | x | x |
Note: In the preceding table, “√” indicates that the cipher suite is supported; “x” indicates that the cipher suite is not supported.
To enable multiple ciphers for a single SSL virtual host, you will need to specify the ciphers in the form of a colon (:) separated list. The following command enables all the ciphers for an SSL virtual host:
FortiBalancer(config)#ssl settings ciphersuite “www.example.com”
“RC4-MD5:RC4-SHA:DES-CBC3-SHA:DES-CBC-SHA:AES128-SHA:AES256-SHA:AES1
28-SHA256:AES256-SHA256:EXP-RC4-MD5:EXP-DES-CBC-SHA”
- Step 3 Configure protocol version for SSL virtual host
FortiBalancer(config)#ssl settings protocol “www.example.com” “SSLv3:TLSv1:TLSv12” The FortiBalancer appliance supports the protocols Secure Sockets Layer version 3 (SSLv3), Transport Layer Security Protocol version 1.0 (TLSv1), and Transport Layer Security Protocol version 1.2 (TLSv1.2). You can use one, two or all of these protocols for the SSL virtual host settings.
Note: Parameter value “TLSv12” stands for the TLSv1.2 protocol.
- Step 4 Configure session reuse for SSL virtual host
FortiBalancer(config)#ssl settings reuse “www.example.com”
This allows you to enable SSL session reuse for an SSL virtual host. This feature is enabled by default.
- Step 5 Configure client authentication for SSL virtual host
The FortiBalancer appliance supports the SSL based client authentication. You can enable client authentication for an SSL virtual host. If enabled, the FortiBalancer appliance will require each client to present an SSL certificate for authorization, before the client can access the SSL virtual host.
FortiBalancer(config)#ssl settings clientauth “www.example.com”
IMPORTANT: If you enable SSL client authentication for an SSL virtual host, you must provide a trusted CA certificate. This will be used by the FortiBalancer appliance to verify client certificates.
FortiBalancer(config)#ssl import rootca “www.example.com”
This command will prompt you to cut and paste the trusted authority certificate in PEM format. You may configure multiple trusted authorities for one SSL virtual host.
Furthermore, the SSL virtual host will check the client certificate based on the configured certificate filters (by using the command “ssl settings certfilter”). If the client certificate fails the certificate verification, the SSL host will reject the client’s access. At most three pieces of “certfilter” configuration (by using the “ssl settings certfilter” command) can be configured for an
SSL virtual host. The logical relationship among the three pieces of “certfilter” configuration is “OR”. If the client certificate does not match any piece of “certfilter” configuration, the SSL virtual host will reject the client’s access.
The filters can be configured with any of the supported RDNs on the FortiBalancer appliances.
Table 11-3 Supported RDN on FortiBalancer
RDN | Standard Name |
C | Country Name |
ST | State or Province Name |
L | Locality Name |
O | Organization Name |
OU | Organizational Unit Name |
CN | Common Name |
SN | Serial Number |
dnQualifier | DN Qualifier |
Pseudonym | Pseudonym |
Title | Title |
GQ | Generation Qualifier |
Initials | Initials |
RDN | Standard Name |
Name | Name |
givenName | Given Name |
Surname | Surname |
DC | Domain Component |
emailAddress | Email Address |
{OID expression} | OID information, for example: 1.2.3.4 |
For example:
FortiBalancer(config)#ssl settings certfilter vhost
“subject:/C=US/O=Fortinet/OU=QA/emailAddress=support@fortinet.com”
“issuer:/C=US/”
In this example, client certificates can pass the certificate verification only when the following conditions are both met:
- In the “subject” field, “C” is “US”, “O” is “Fortinet”, “OU” is “QA” and “emailAddress” is “support@fortinet.com”.
- In the “issuer” field, “C” is “US”.
Otherwise, the client will fail the authentication.
Two kinds of client authentication modes are supported: mandatory and non-mandatory. Client authentication mode defaults to mandatory. In non-mandatory client authentication mode, when the server sends a certificate request to the client, if the client has no matched certificate or cancels the authentication by clicking the Cancel button, the server will permit the client to access limited network resources instead of dropping the SSL connection. However, all the networks resources which can be published to non-authenticated clients need to be defined by using the “http acl url” command.
- Step 6 Configure client certificate parsing for SSL virtual host
You also can define the certificate parse method for the SSL virtual host.
FortiBalancer(config)#ssl settings cerparse www.example.com
FortiBalancer(config)#ssl settings verifymethod www.example.com fast
- Step 7 Configure CRL for SSL virtual host
FortiBalancer supports the CRL (Certificate Revocation List) functionality. You can configure the FortiBalancer appliance to fetch the CRL file periodically from a CRL Distribution Point (CDP) by using HTTP or FTP.
For our example, let’s consider a case when you have put your CRL file (Fortinet.crl) on an HTTP Web server (www.crldp.com) and you want to fetch it every one minute.
You can configure the FortiBalancer appliance as follows:
FortiBalancer(config)#ssl settings crl offline www.example.com
“http://www.crldp.com/Fortinet.crl” 1
This will cause the FortiBalancer appliance to fetch the CRL file at the regular interval of one minute from the “www.crldp.com” site by utilizing HTTP. You can also specify an FTP URL to download the CRL file.
FortiBalancer(config)#ssl settings crl offline www.example.com “ftp://ftp.crldp.com/Fortinet.crl” 1
You may also specify an LDAP URL to download the CRL file.
FortiBalancer(config)#ssl settings crl offline www.example.com
“ldap://ldap.crldp.com/cn=fortibalancer,dc=fortinet,dc=com” 1
- Step 8 Configure OCSP for SSL virtual host to check the certificate validation online The FortiBalancer appliance supports the OCSP (Online Certificate Status Protocol) protocol. You may configure the FortiBalancer appliance to validate the certificate on an OCSP server online.
For our example, configure an OCSP server (ocsp.crldp.com:8888) and to validate the certificate online, you may configure the FortiBalancer appliance as follows:
FortiBalancer(config)#ssl settings ocsp www.example.com “http:// ocsp.crldp.com:8888“
Note: The OCSP has top priority. When configured, the OCSP will validate the certification by only checking the OCSP server.
- Step 9 Configure redirect for clients without strong encryption support
The FortiBalancer appliance provides you with a facility to redirect the weak clients (clients who are not using strong ciphers) to another URL. You can specify the minimum strength of the cipher as acceptance criteria. Any client that uses a cipher weaker than this will be redirected to the configured URL.
For example, consider a scenario where you want to redirect all clients that does not support cipher suites with at least 168 bits key length to a different site “www.example2.com”.
This can be configured by using the following command:
FortiBalancer(config)#ssl settings minimum www.example.com 168
“http://www.example2.com”
- Step 10 Apply modified SSL settings
You will need to activate the SSL virtual host to take advantage of all the configuration steps taken to this point.
FortiBalancer(config)#ssl start www.example.com
11.3.2.5 Advanced SSL Configuration for SSL Real Host
You can configure different SSL settings for your SSL real host.
- Step 1 Stop SSL real host
FortiBalancer(config)#ssl stop www.myreal.com
This will stop SSL real host and will allow you to change SSL settings for this host.
- Step 2 Configure ciphersuites for the SSL real host
FortiBalancer(config)#ssl settings ciphersuite “www.myreal.com” “DES-CBC3-SHA”
The cipher suite settings allow you to define ciphers for this SSL real host. Only a limited set of ciphers are allowed for real hosts.
- DES-CBC3-SHA
- RC4-SHA
- RC4-MD5
- AES128-SHA
- AES256-SHA
- Step 3 Configure protocol version for SSL real host
FortiBalancer(config)#ssl settings protocol “www.myreal.com” “SSLv3:TLSv1“
The FortiBalancer appliance supports the protocols SSLv3 and TLSv1. You may use one or both of the two protocols.
- Step 4 Configure session reuse for SSL real host
This allows you to enable SSL session reuses between the FortiBalancer appliance and backend servers. This feature is enabled by default.
FortiBalancer(config)#ssl settings reuse www.myreal.com
- Step 5 Configure client authentication for SSL real host
The FortiBalancer appliance can use SSL client authentication while communicating with the backend server. If this setting is enabled, the FortiBalancer appliance will submit the client certificate to the backend sever for authentication during SSL handshake.
FortiBalancer(config)#ssl settings clientauth www.myreal.com
IMPORTANT: If you want to enable client authentication for an SSL real host, you will need to import a certificate and key pair for the SSL real host. The SSL real host will present this certificate to the backend server for authentication. This may be accomplished by using the “ssl import certificate” and “ssl import key” commands for an SSL real host. These two commands work exactly the same for an SSL virtual host and an SSL real host. For detailed instruction on using these commands, please refer to the SSL virtual host configuration described earlier.
- Step 6 Configure checking common name of real server certificate
If you want to verify the certificate of the real backend server, you will need to turn on global settings for verifying the server certificate. In addition, make certain the common name of the server certificate matches a specific name by running the command “ssl settings servername”.
For example, if the certificate common name of the real server associated with the real host “www.myreal.com” is “Myreal Inc.”, you can use the following command:
FortiBalancer(config)#ssl settings servername www.myreal.com “Myreal Inc.”
- Step 7 Import trusted CA certificate for SSL real host
Since the SSL subsystem acts like a client to the real server, it has several root CA certificates just like a common Web browser. If you are using a self-signed certificate, or a certificate issued by your own local CA on your origin servers, then you need to use the “ssl import rootca” command to import the self-signed certificate that is on the real server or the local CA certificate.
The certificate must be in PEM format and is imported the same way you import a PEM certificate. The FortiBalancer appliance will prompt you to cut and paste the text to the terminal and enter “…” to accept the certificate.
FortiBalancer(config)#ssl import rootca
- Step 8 Apply modified SSL settings
You will need to activate the SSL real host to take advantage of all the configuration steps taken to this point.
FortiBalancer(config)#ssl start www.myreal.com