Which SSL/TLS settings, Algorithms and Methods to use

Recommended Server Encryption Methods

  • Hash-Algorithms: SHA3, SHA2-512, SHA2-384, SHA2-256, Poly1305
  • Symmetric Encryption Algorithms: AES-GCM-256, AES-GCM-128, ChaCha20
  • Key-Exchange-Methods: ECDHE, DHE-4096Bit, Diffie-Hellman group 24 (Modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup), 521 bit elliptic curve (DH-Group 21), 384 bit elliptic curve (DH-Group 19), 256 bit elliptic curve (DH-Group 19), DHE-2048Bit (DH-Group 14)
  • Certificate-Keys: EC 256Bit, RSA-4096Bit, RSA-2048Bit,
  • Certificate Signing: ECDSA, RSA
  • Encryption-Protocols: TLS 1.3, TLS 1.2
  • Webserver Downgrade attack prevention: TLS_FALLBACK_SCSV, Strict Transport Security (HSTS)
  • Password Hashing Algorithms: Argon2, scrypt, bcrypt, PBKDF2
  •     Source: F5

List of Recommended TLS-Ciphers:

Very secure:

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

Secure:

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

High Compatibility but still secure:

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

FortiConverter 5.5 Python - Installation issue "Internet Explorer" Default Browser

Fortinets configuration migration tool FortiConverter (documentation) has been rewritten using python and has been launched in the past few months. In some special circumstances the installation could show the following error: "FortiConverter can not support Internet Explorer, please use Chrome or Firefox and set them as default browser.":
 

Problem:

You've changed the default browser of your Windows operating system to Chrome or Firefox - but the error still occurs during the installation.

Cause:

Your current Windows user is using Chrome or Firefox as default browser, but the administrator user, which is used to install FortiConverter, has still set Internet Explorer as default Browser.

Solution: 

Login to Windows with your administrator user, change the Windows Default Browser to Firefox or Chrome. Login again with your normal user, install FortiConverter without any issue.
 

Azure Managed Identities (technical service accounts)

Explaination Azure Managed Identities = technical service accounts Password is automatically managed, as it was the case in managed service ...