Hot!HTTPS and replacement messages

Author
Wurstsalat
Bronze Member
  • Total Posts : 23
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
2017/12/29 05:56:22 (permalink)
0

HTTPS and replacement messages

Hi there,
we are currently running FortiOS 5.6.2
So it works so far except one thing, when we try to browse an unknown address such as https://12351.heise.de we get certificate warning because it uses factory default ca certificate to generate the certificate for the replacement message site...our clients reach the Internet through explicit proxy
 
So we checked our ssl/tls inspection profiles, all profiles except the factory defaults use CA certificates which are trusted by our Clients and it works for all sites which are reachable. So far we dont see where else we can configure this behaviour?
 
The factory default profiles cant be changed to a trusted cert, in CLI we get
"Cannot modify the read-only factory default profiles!
object set operator error, -657 discard the setting
Command fail. Return code -657"
 
So how we can configure fortigate issues the certificate for unkown sites/ip`s with our own CA certificate?
 
Hope someone can help
post edited by Wurstsalat - 2017/12/29 06:36:15
#1

5 Replies Related Threads

    Wurstsalat
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/18 01:05:35
    • Status: offline
    Re: HTTPS and replacement messages 2018/01/07 22:11:16 (permalink)
    0
    no one any idea on this?
    #2
    oheigl
    Gold Member
    • Total Posts : 259
    • Scores: 10
    • Reward points: 0
    • Joined: 2010/02/18 04:27:05
    • Location: Austria
    • Status: offline
    Re: HTTPS and replacement messages 2018/01/08 01:43:26 (permalink)
    0
    You don't use any factory default SSL/TLS profiles? Did you check the settings in the CLI? There is one certificate which can't be set via the web interface:
     
    set caname "Fortinet_CA_SSL"
    set untrusted-caname "Fortinet_CA_Untrusted"
     
    Check if these are not the default ones but your own certificates.
    #3
    Wolkenstuermer
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: HTTPS and replacement messages 2018/06/06 02:08:29 (permalink)
    0
    We are facing the same Problems. Are there any News on that?
     
    Yes, there is the possibility to shutdown HTTPS errormessages at all, but that is not what we want to. 
    post edited by Wolkenstuermer - 2018/06/06 02:10:58
    #4
    Wurstsalat
    Bronze Member
    • Total Posts : 23
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/10/18 01:05:35
    • Status: offline
    Re: HTTPS and replacement messages 2018/06/06 04:20:48 (permalink)
    0
    We did not find a solution for this...so if you will find one, please reply ;)
    #5
    mhwloo
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/06 11:13:28
    • Status: offline
    Re: HTTPS and replacement messages 2018/08/06 11:47:39 (permalink)
    0
    Wolkenstuermer
    We are facing the same Problems. Are there any News on that?
     
    Yes, there is the possibility to shutdown HTTPS errormessages at all, but that is not what we want to. 




    How do you shut down HTTPS error messages?  I would love to be able to do this on our guest's devices.
    #6
    Jump to:
    © 2018 APG vNext Commercial Version 5.5