Hot!SSL/TLS Full Inspection - OCSP checking

Author
netwrkr
Bronze Member
  • Total Posts : 30
  • Scores: 8
  • Reward points: 0
  • Joined: 2015/07/15 11:51:04
  • Status: offline
2015/08/11 11:39:15 (permalink)
0

SSL/TLS Full Inspection - OCSP checking

I've tried to deal with tech support a few times but.....we don't seem to be on the same page.
 
Setup:
 
Fortiguard peforming full SSL/TLS inspection of web traffic traffic.
 
Does any sort of OCSP checking happen?  If not, how come? 
 
Thanks.
Tom
#1

15 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4989
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/11 17:53:11 (permalink)
    0
    What exactly is your setup  & reasoning for this question ?
     
    Would that not be a required of the browser to  initate  the the  cert validation or revocation  method? I mean a browser could perform this via OCSP or CRL, but not both at the same time ( in general speaking ) but that would all pertain if the sever has a embed  OCSP response in the certificate to begin with ( can't conduct a OCSP validation if none exist  ).
     
    In fact all modern browsers execute some means of OCSP validation, but not all CAs respond to OCSP ( e.g your inhouse CA chain might never use OCSP  for these Domain Certs ).
     
    So to answer your question, I believe a fortigate does NOT change the  cert validation method presented by the client during SSL inspection but mainly passes any certification revocation means that's present from the browser. You can inspect the site certificate by  exporting  the web-browers lock and  details certficate fields and validate if a OCSP  is listed and the CRL distro points.
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    netwrkr
    Bronze Member
    • Total Posts : 30
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/07/15 11:51:04
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/12 07:27:28 (permalink)
    0
    Hi -
     
    Thanks for the response.  Your understanding of how OSCP works is correct - in a non FULL SSL/TLS inspection mode in that the web browser is responsible for the OSCP query.  In the case for full SSL/TLS inpsection (ie.  man in the middle) the Fortigate is actually the client responsible for doing all the security checks that is normally performed by the web browser ex. 
     
    is the presented server certificate valid and trusted?
      - issued by a trusted CA; 
     - has the certificate been revoked?  crl / OSCP checking
     
    Does the web server use sufficient cipher/encryption strength?
    - this is something the FG does not currently check, nor allow configuration of minimum values
     
    Tom
    #3
    emnoc
    Expert Member
    • Total Posts : 4989
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/12 09:17:29 (permalink)
    0
    How are you determining that?
     
    I would be surprised if  the fortigate is not  conducting CRL or OCSP checks ( but than again, I've been surprised by FTNT laterly ; ) )
     
    I'm just curious,  if  the client  that originates the  SSL session but disable the OCSP query will the fortigate act on his be-half and query regardless? ( see screenshot of a firefox browser adv settings )
     
    I think maybe some type of diag debug app ( what I don't know ...maybe someone will chime in ),  could shed light at the end of the tunnel. Or a packet capture from the fortigate and running it thru wireshark/tshark maybe for responses.
     
    e.g
    tshark -r 443.pcap -n -2 -R '(ocsp)' -T fields -e ocsp
    tshark -i en5 -n  -f 'port 443'  -T fields -e ocsp
     
     
    ( just guessing  here )
     
    Let us know how far you go with this and what you find.
     
    Ken
     
     
    post edited by emnoc - 2015/08/12 09:19:16

    Attached Image(s)


    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #4
    netwrkr
    Bronze Member
    • Total Posts : 30
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/07/15 11:51:04
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/12 13:41:42 (permalink)
    0
    Hello:
     
    I ran tcpdump on the Internet facing interface of the switch - it sees all inbound and outbound Internet traffic.  No OSCP requests whatsoever.
     
    Fortinet ticket number:  1481242
     
    My SE says "This appears to be a bug.  But they are still researching the issue."
    Tom
     
    #5
    netwrkr
    Bronze Member
    • Total Posts : 30
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/07/15 11:51:04
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 06:52:28 (permalink)
    0
    From Fortinet support:
     
    "Currently, FGT does not support this feature. There is no option to check certificate validity against an OCSP server when using DPI(deep packet inspection)."
     
     
    I've asked for this to be a feature request.
     
    Tom
    #6
    emnoc
    Expert Member
    • Total Posts : 4989
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 07:52:05 (permalink)
    0
    So this brings me back to the web-browser support ( OCSP/CRL ) and cert validation does the  fortigate pass this request thru
    transparentlt ", my experience == different browsers &  support certication to  various degree IE vrs Firefox vrs Chrome vrs Safari ,etc....). So I guess the answer is No based on what support said.
     
    I find it strange and a big disappointment to see even with SSL certificate inspection ( not full ) that fortigate doesn't really validate the certificate  vocation lookup. It would be nice to at least try a query and have an option to allow or not-allow if the query does complete.
     
    So any revoked cert could be pander off and a un-awared browser establishs a SSL/TLS connection to  the site. Or am I missing something?
     
    This like  having a  strong door lock and everybody has a copy of the key ;)
     
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #7
    netwrkr
    Bronze Member
    • Total Posts : 30
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/07/15 11:51:04
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 07:59:48 (permalink)
    0
    emnoc -
     
    I agree.  I have multiple issues with the way the FG presents these options.  For example (and this is directly from support)
     
    1) If "ssl-ca-list" option is not enabled in SSL Inspection profile, only certificate expiration date is checked.
     
    - so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted.  - So, what exactly is this check doing to improve security????
     
    I hate to say it, but the Palo Alto kicks but in this area.  Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.
     
    #8
    emnoc
    Expert Member
    • Total Posts : 4989
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 08:19:34 (permalink)
    0

    - so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted.  - So, what exactly is this check doing to improve security????
     

     
    and this;
     


    I hate to say it, but the Palo Alto kicks but in this area.  Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.

     
    All browser check the cert expiration date AFAIK ;)  So the added security ( FTNT FGT )  is will Questionable ??????????s
     
    This remind of my parent going out buying a 120usd door lock dollar but placing the key under the flower planter outside of the door.
     
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #9
    netwrkr
    Bronze Member
    • Total Posts : 30
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/07/15 11:51:04
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 08:31:42 (permalink)
    0
    emnoc - totally agree.  Would you please open up a support ticket / feature request or contact your local SE?  I would like to have everyone pushing to add these features as soon as possible.
     
    Thanks,.
    #10
    netwrkr
    Bronze Member
    • Total Posts : 30
    • Scores: 8
    • Reward points: 0
    • Joined: 2015/07/15 11:51:04
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 10:23:17 (permalink)
    0
    Hello Tom,


    I am not aware of any project that is handling OCSP implementation(with DPI) in future release.

    Please contact your SE for New Feature Request.

    Thanks and Regards,


    Fortinet TAC Engineer, Americas


    #11
    emnoc
    Expert Member
    • Total Posts : 4989
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2015/08/13 11:09:08 (permalink)
    0
    This is no surprised, check  https://www.grc.com/revocation/implementations.htm and the convergence extension YMMV. But this problem is seen across the board and in  numerous  OS/device where CRLs revoke is not checked.
     
    Ken
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #12
    Prab
    Bronze Member
    • Total Posts : 55
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/12/04 01:30:25
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2018/09/11 04:34:46 (permalink)
    0
    Just for the reference, in 5.6.4 version following checks are performed:
     
     
     
     

    Attached Image(s)

    #13
    emnoc
    Expert Member
    • Total Posts : 4989
    • Scores: 306
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2018/09/11 15:00:05 (permalink)
    0
    Revoked listed are unreliable imho and most are  using OCSP or providing the details in the certificate for the CRL
     
    Also keep in mind most  CA revocation list could be 8-24hours  stale and not updated. I would not trust CRL, OCSP is more better in the long run.
     
    YMMV
     
    http://socpuppet.blogspot.com/2017/06/ocsp-tool-to-check-certficates.html
     
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #14
    Prab
    Bronze Member
    • Total Posts : 55
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/12/04 01:30:25
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2018/09/12 00:09:41 (permalink)
    0
    emnoc
    Revoked listed are unreliable imho and most are  using OCSP or providing the details in the certificate for the CRL
     
    Also keep in mind most  CA revocation list could be 8-24hours  stale and not updated. I would not trust CRL, OCSP is more better in the long run.
     
    YMMV
     
    http://socpuppet.blogspot.com/2017/06/ocsp-tool-to-check-certficates.html
     
     


    Yes, OSCP is indeed a better choice as it is scalable.
    However the reliability, could still be tricky, if the OCSP Server is using plain text protocol and the client could not validate the OCSP server's identity!
    Also, in case of OCSP the client will establish an extra network connection (3-way TCP handshake etc.) outbound, this also could be an issue if there is a network congestion or if the OCSP server is offline etc.
     
    FGT can be configured to use OCSP instead of CRL.
     
    The CRL update interval could be configured or changed in the CLI.
    #config vpn certificate crl
     
    Thanks & regards,
    Prab
     
     
     
    #15
    darwin_FTNT
    Bronze Member
    • Total Posts : 31
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/04/24 18:12:28
    • Status: offline
    Re: SSL/TLS Full Inspection - OCSP checking 2018/09/12 15:25:30 (permalink)
    0
    Just saw OCSP support commit has been merged after IPS engine 3.0535.  It should be available in v3.0536 (not created yet).
    #16
    Jump to:
    © 2018 APG vNext Commercial Version 5.5