I have DPi setup and running on one Policy on our cluster (2 3700D v5.2.4,build688). The rule is only for my laptop. After following the Cookbook steps on importing the Fortigate CA onto my laptop everything appears to be working very well. Safe search is working and I haven't ran into any other major problems except Skype on 365, but I believe it might be tied into the current situation I'm trying to solve. On Chrome (again everything works well) I click on the SSL link in the URL and it shows me that Chrome verified the FortiGate CA..... Then it says:
"Your connection to www.netflix.com is encrypted using an obsolete cipher suite. The connection is encrypted using AEA_128_CBC, with HMAC-SHA1 for message authetnication and ECDHE_RSA as the key exchange mechanism.
If I lookup the same thing on my desktop (which doesn't hit a Policy that uses DPI) I don't get the obsolete cipher error. I did connect to the CLI and ran the: "set strong-crypto enable" , but I still get the error. Do I need to configure the Fortigate more?
Any help would be appreciated!
Thanks in advance!
B
If you dump your ssl hellos you will see that negotiated cipher between you and the fortigate was AEA_128_CBC, with HMAC-SHA1, chrome is just being ....."Chrome" 
I bet you if you use a different browser of set Chrome to not Negotiated that cipher than you would be okay. I'm also betting in your FortiOS the FortiGate cert is a sha1 cert. I believe the certificate pubkeysize was change to 2048bits in 5.2.6 irrc ( some one correct me I'm too lazy to find the release notes ;)
So if you craft 2k bit CSR have it sign by a external CA or a internal CA and report that into the fortigate than you would be golden and reduce the obsolete ciphers from the client to include any RC4 ciphers ( sha or md5 )
i would start by looking at your client browser
https://www.ssllabs.com/ssltest/viewMyClient.htmll
And by running test ssl against the netfix site to learn more
Like said emnoc, try upgrade to 5.2.8. Versions after 5.2.5 has new ciphers.
regards,
Paulo R.
emnoc
Expert Member
Total Posts : 3584Scores: 190Reward points: 0Joined: 3/20/2008Status: offline[/ul]
Re: Encryption Using an Obsolete Cipher Suite, After CA cert and strong-crypto enable 10 hours ago (permalink)
0
If you dump your ssl hellos you will see that negotiated cipher between you and the fortigate was AEA_128_CBC, with HMAC-SHA1, chrome is just being ....."Chrome"
I bet you if you use a different browser of set Chrome to not Negotiated that cipher than you would be okay. I'm also betting in your FortiOS the FortiGate cert is a sha1 cert. I believe the certificate pubkeysize was change to 2048bits in 5.2.6 irrc ( some one correct me I'm too lazy to find the release notes ;)
So if you craft 2k bit CSR have it sign by a external CA or a internal CA and report that into the fortigate than you would be golden and reduce the obsolete ciphers from the client to include any RC4 ciphers ( sha or md5 )
i would start by looking at your client browser
https://www.ssllabs.com/ssltest/viewMyClient.htmll
And by running test ssl against the netfix site to learn more
https://testssl.sh/
PCNSE6,CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
Helpful Report AbuseForward Quote #3
pcraponi
Quick Reply: (Open Full Version) Paragraph Font Family Font Size 
Path: p
Preview
Submit Post
Home » All Forums » [link=https://forum.fortinet.com/tt.aspx?forumid=120][FortiGate / FortiOS UTM features][/link] » Web Filtering » Encryption Using an Obsolete Cipher Suite, After CA cert and strong-crypto enable
Jump to: Jump to - - - - - - - - - - [FortiGate / FortiOS UTM features] - - - - AntiVirus - - - - Application Control - - - - Data Leak Prevention (DLP) - - - - Email filtering (AntiSPAM) - - - - Former Content Management Forum - - - - Intrusion Detection & Prevention - - - - Web Filtering [Fortinet Beta Programs] - - - - Beta Message Board - - - - FortiOS 5.4 Beta - - - - FortiClient 5.4 Beta - - - - FortiAnalyzer 5.4 Beta [Fortinet Services] - - - - FortiCloud IOC [Other FortiGate and FortiOS Topics] - - - - Firewall - - - - Log & Report - - - - Miscellaneous -- FortiOS and FortiGate - - - - New Features -- FortiOS - - - - Routing and Transparent Mode - - - - System settings - - - - User and Authentication - - - - VPN [Other Fortinet Products] - - - - AscenLink - - - - Coyote Point - - - - FortiADC - - - - FortiAnalyzer - - - - FortiAP - - - - FortiAuthenticator - - - - FortiBalancer - - - - FortiBridge - - - - FortiCache - - - - FortiCamera & FortiRecorder - - - - FortiCarrier - - - - FortiClient - - - - FortiConverter - - - - FortiCore - - - - FortiDB - - - - FortiDDOS - - - - FortiDirector - - - - FortiDNS - - - - FortiExplorer - - - - FortiGuard - - - - FortiMail - - - - FortiManager - - - - FortiPlanner - - - - FortiSandbox - - - - FortiScan - - - - FortiSwitch - - - - FortiToken - - - - FortiVoice - - - - FortiWeb - - - - FortiWiFi - - - - Meru (Wireless Infrastructure) [Forum Information & Miscellaneous Topics] - - - - Forum News - - - - Ideas for Forum Site - - - - Fortinet Cookbook - - - - Knowledge Base - - - - Technical -- non-FortiOS - - - - Miscellaneous -- non-technical
© 2016 APG vNext Commercial Version 5.5
Latest Posts
Re: FortiClient 5.4 on Windows 10 Connects but does not route Traffic over SSL VPN 
Re: How to configure EMAIL filter with external Exchange server Re: When is 5.4.1 going to drop? Re: Unable to establish vpn Re: run fortigate in vmware Re: run fortigate in vmware Automatic VPN if Off NET using Windows Credentials Re: Backup over SCP Re: run fortigate in vmware Re: New firewalls vs old [/ul]
Active Posts
FortiClient 5.4 on Windows 10 Connects but does not route Traffic over SSL VPN How to configure EMAIL filter with external Exchange server When is 5.4.1 going to drop? Unable to establish vpn run fortigate in vmware Backup over SCP New firewalls vs old Encryption Using an Obsolete Cipher Suite, After CA cert and strong-crypto enable View Release Notes -> Document not found SSL Certificate Inspection, CA certificate and www.amazon.com [/ul]
All FAQs
GUI Poll #1 [/ul]
emnoc
