SSL Labs and Fortigate: Grade capped at B


This is annoying but I found the correct settings so you can use SSL Labs and actually get a score that isn’t capped at B because of AES 128 CBC ciphers!

It is very simple:

config system global
set ssl-min-proto-version TLSv1-2
set admin-https-ssl-versions tlsv1-1 tlsv1-2
# vvvv is the specific one that will disable the bad cryptographic ciphers
set ssl-static-key-ciphers disable
# ^^^^

This turns off the ciphers that do not support DH and allows for Forward Security test phase to pass.

As soon as I did this and rerun the scan my firewalls returned A+ for their overall rating.