Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

Show Original Server Certificate from SSL server when SSL Inspection is enabled

Verifying server certificate on SSL Inspection's "diagnose debug application fnbamd -1" does not show the certificate in my 5.2.6.

Additionally, Fortinet has wisely decided to remove "diagnose debug application ssl" and "diagnose test application sslworker" - it's no longer available in 5.2.6. "More is less".

 

So, how can I determine Original Server Certificate offered by origin-server?

3 REPLIES 3
hop_FTNT
Staff
Staff

Certificate information from "diagnose debug application fnbamd -1" can be seen only at the first time visiting the website.

 

Due to code improvement, sslworker has been removed. So does the debug command of it. Some debug functions are merged in "dia test application proxyworker".

 

500D_UP (global) #  dia test application proxyworker Proxy Worker 0 - worker: pw 0:s Proxy Worker Test Usage pw 0:s pw 0:s    1: Dump Memory Usage pw 0:s    2: Dump vdom list pw 0:s    3: Display pid pw 0:s    4: Display stats for all protocols pw 0:s   13: Clear SSL exempt cache pw 0:s   14: Clear SSL bypass cache pw 0:s   42: Dump SSL exempt and bypass cache pw 0:s   43: Dump SSL session list pw 0:s 4444: Display per vdom stats for all protocols pw 0:s    5: Display debug log stats pw 0:s    6: Toggle Print Stat mode every ~40 seconds pw 0:s   88: Toggle statistic recording pw 0:s   94: Disable SO_LINGER pw 0:s   95: Enable SO_LINGER pw 0:s   96: Disable Nagle for SSL connections (default) pw 0:s   97: Enable Nagle for SSL connections pw 0:s   99: Restart proxy

AlexFeren
New Contributor III

> Certificate information from "diagnose debug application fnbamd -1" can be seen only at the first time visiting the website.

That is not what I see, observe:

 

On Fortigate:

FG60C (global) # diagnose debug application fnbamd -1 FG60C (global) # diagnose debug enable

 

On client:

$ curl -Ik https://www.mattel.com HTTP/1.1 503 Service Unavailable Content-Type: text/html Cache-Control: no-cache Content-Length: 770 X-Iinfo: 10-18487729-0 0NNN RT(1458015904641 9) q(0 -1 -1 1) r(0 -1) U5 Date: Tue, 15 Mar 2016 04:25:04 GMT Connection: keep-alive Set-Cookie: visid_incap_726338=3gUyqZR2Td2naIr6x0ts4qCO51YAAAAAQUIPAAAAAADc4zmhLi41wqAoQQCC4eTr; expires=Tue, 14 Mar 2017 17:05:25 GMT; path=/; Domain=.x.incapdns.net Set-Cookie: incap_ses_413_726338=NXPoBgXhujHReJH7pUW7BaCO51YAAAAAuyy+buCc4O66hqeirRYwgg==; path=/; Domain=.x.incapdns.net X-Robots-Tag: all

 

On Fortigate:

fnbamd_fsm.c[2145] handle_req-Rcvd auth_cert req id=671334420 fnbamd_auth.c[1328] check_cert-following cert chain depth 0 fnbamd_auth.c[1328] check_cert-following cert chain depth 1 fnbamd_auth.c[1608] cert_check_group_list-group list is null fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 671334420

No server certificate shown!

AlexFeren
New Contributor III

Confirmed by Fortinet support that certificate information display (by logs or debug) is no longer possible.

Labels
Top Kudoed Authors