- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL Certificate Inspection causing connection issu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Certificate Inspection causing connection issues with certain sites
We have SSL Certificate Inspection enabled (we are NOT using DPI-SSL, so we don't have the MITM invalid certificate problem). Certain services such as Amazon Echo, credit card POS devices, and PRTG application updates error out on connection with this enabled. If I simply remove the certificate inspection from the IP4 rules everything works. Are there any tweaks that will make just the services we're having trouble with connect? I know with DPI-SSL you can set exclusions, but that option doesn't seem to be available for the certificate inspection option. As a secondary question, what exactly is the Fortigate doing during certificate inspection that breaks these services?
Solved! Go to Solution.
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
To answer daccu's question first,
Certificate Inspection should not break any SSL connections. The Fortigate only inspects the SNI on the Client Hello or the Server Certificate when Certificate Inspection is used. It does not attempt a MitM. Could you post the output of the CLI commands, "config firewall ssl-ssh-profile", "edit <your profile>", "show"?
E.g.
edit "certificate-inspection" set comment "SSL handshake inspection." config https set ports 443 set status certificate-inspection end config ftps set ports 990 set status disable end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end config ssh set ports 22 set status disable end next
This is the default certificate-inspection profile.
SteveG,
TLS 1.3 would have affected the engine if you used deep-inspection - not widespread yet, recently added into Chrome 56 (would require the server to support the protocol too). It should not affect it if certificate-inspection is used. Our dev team has released a new engine to address TLS 1.3. It is not released to the public yet as it is undergoing beta tests.
LewisBowerbank,
You can disable the replacement message.
If you are using the Web Filter profile and FortiOS 5.4, here's how:
Go to "config webfilter profile", "edit <profile name>", "set https-replacemsg disable".
If you are using the Application Control profile and FortiOS 5.4,
Go to "config application list", "edit <application name>", "set app-replacemsg disable".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Ivan,
>>After reading the discussion I am not sure if I understood the solution correctly. The issue is that during certificate inspection (SNI and CN) some website access breaks - right? Typically the issue occures on those sites where there are some embedded links which are beeing loaded after the first URL request. The issue only occures if some of those emmeded links are categorized by the webfilter to be blocked (e.g. advertising). When the webfilter blocks access to those https sites the fortigate will send the https-replacemsg to the client with the own fortigate certificate. Typically this is untrusted and the client will get the unknown certificate issuer error. This can be solved for managed clients with certificate rollout. But for BYOD devices thats not possible.
Yes, this is correct. >>My question: What actually happens if the fortigate does not send the https-replacemsg as suggested by you?
If the Fortigate does not seed the https-replacemsg, it will send a TCP RST packet to close the session.
>>Will the website be partially loaded? (Like loading a news pages without the Ad Banners)
Yes, it will be partially loaded. Let's say you load a YouTube page. If you have Google Ads blocked, you will noticed there are patches on the page that looks like the typical error message you get. I attached a sample screen.
One important thing to note is you may notice the page might load slower than usual. This is caused by non-asynchronous loading of the HTML content. For e.g., in the YouTube case, if the HTML page is written in a way as to load the Google Ads first, if the browser receives a RST packet, it may (or may not) keep requesting for the content until the timeout value is reached. If the HTML page is not written in a way to allow asynchronous loading of other content at the same time while it is trying to load the Google Ads, the page will load slowly. This is because the browser is trying to load the ads before everything else. However, if the Google Ads code is at the very end, you will see the rest of the page loads like usual minus the ads. If the code is somewhere in the middle of the page, then you might have 60-70% of the page loaded, then it will slow down for a while to try to get the Google Ads, and once the timeout is done, the remaining page will be loaded. This is unfortunately not something we can control. On many of the major browsers today, a RST packet will stop the browser from resending the GET request for a resource. So you are not likely going to see a slowdown. In short:
If https-replacemsg is enabled, you may see a slowdown if a content on a page is blocked because the Fortigate does not send a RST packet right away. The browser will wait until the timeout value is reached.
If https-replacemsg is disabled, you most likely will not see a slowdown. A RST packet will be sent immediately, the browser knows not to wait, and the rest of the page will load after that.
I hope this clears up some confusion you have. Thanks!
HoMing
20 REPLIES 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing similar stuff on a couple of sites (angular.io), like you if I disable SSL inspection for that site it works fine. Do you have 'block invalid certs' ticked on your SSL Inspection profile, I disabled that but still see the same problem? I'm wondering if it's a TLS 1.3 thing but not had time to investigate fully.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try, just to test, to inspect all ports in Proxy Option profile.
It's a resource-consuming option so enable it just in a dedicated policy and please retry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same problem, we have the advertising category blocked these are embedded on pages and sometimes the browser just says there is a problem connecting securely to the website. Even if the page is in an allowed category but the advert causes this to fail. If I allow the advertising category the page loads. It is annoying that Fortigate certificate has to present itself on blocked pages, I cannot add certificates to the end user machines on this network.
I tried the inspect all ports in the proxy and that didn't help unfortunately
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
To answer daccu's question first,
Certificate Inspection should not break any SSL connections. The Fortigate only inspects the SNI on the Client Hello or the Server Certificate when Certificate Inspection is used. It does not attempt a MitM. Could you post the output of the CLI commands, "config firewall ssl-ssh-profile", "edit <your profile>", "show"?
E.g.
edit "certificate-inspection" set comment "SSL handshake inspection." config https set ports 443 set status certificate-inspection end config ftps set ports 990 set status disable end config imaps set ports 993 set status disable end config pop3s set ports 995 set status disable end config smtps set ports 465 set status disable end config ssh set ports 22 set status disable end next
This is the default certificate-inspection profile.
SteveG,
TLS 1.3 would have affected the engine if you used deep-inspection - not widespread yet, recently added into Chrome 56 (would require the server to support the protocol too). It should not affect it if certificate-inspection is used. Our dev team has released a new engine to address TLS 1.3. It is not released to the public yet as it is undergoing beta tests.
LewisBowerbank,
You can disable the replacement message.
If you are using the Web Filter profile and FortiOS 5.4, here's how:
Go to "config webfilter profile", "edit <profile name>", "set https-replacemsg disable".
If you are using the Application Control profile and FortiOS 5.4,
Go to "config application list", "edit <application name>", "set app-replacemsg disable".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your suggestion, I had not done this with the webfilter profile but sadly the Fortigate still presents its certificate which causes the browser to say there is a problem with the website's security certificate/lots of security alerts pop up about the certificate and if you wish to proceed/or states the connection is not private and prevents you from visiting the page.
I'm looking to move to another device to handle web filtering providing WCCP on the Fortigate is flexible enough that some IP addresses can be exempt.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello LewisBowerbank,
If you are getting those certificates error when you did not try to block anything, it is very likely you are enabling deep-inspection and the FortiGate is doing a MitM on the SSL sessions. If you do not import the FortiGate's SSL Certificate on your machine, you will get that error.
If you would like to avoid importing the FortiGate's SSL Certificate on all the machines, you need to get a properly signed SSL Certificate and add it to the FortiGate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it isn't occurring on all sites as it would do on deep inspection. I'm not sure on the process but getting a SSL certificate but we would need that to be trusted while acting on behalf of sites such as YouTube where the blocked advertising category causes problems with this site and I don't think we would be able to have access to something like that.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello LewisBowerbank,
Can you send me your configuration file? I can take a look at it to see if you disable the replacement message correctly.
The reason you are getting the SSL certificate error is because the FG tries to send the replacement message through the SSL connections that are getting blocked. If you disable the replacement message correctly, that should prevent the Certificate error.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there... I am also getting issues with certificate-inspection (not mitm) breaking web sites. My configuration is standard. I have just created a new profile from scratch and that also causes the issue.
Related Posts
- LDAPS issue, 'Can't contact LDAP server' 158 Views
- Two different websites (domains) on two... 91 Views
- Setting SSL/SSH inspection profile causes most... 190 Views
- IPS and WAF security events are... 173 Views
- ZTNA not working. Help please. 276 Views
Labels
-
FortiGate
6,522 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
240 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
.jpg){kind=link}
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.