Hot!SSL Inspection with wildcard certificate

Author
rhfred
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/21 01:48:55
  • Status: offline
2018/06/21 02:15:29 (permalink) 5.6
0

SSL Inspection with wildcard certificate

Hi, 
 
running on a Fortigate 300D 5.6.3

I experience some strange behaviour running some UTM features like WAF, AV, IPS. Here is my setup : 
  • One wildcard certificate imported as a 'local certificate' which means with both certificate file and private key. This should make the device able to serve the certificate instead of my backend web server
  • One SSL/SSH inspection profile with these settings : Enable SSL Inspection of Protecting SSL Server, the right server wildcard certificate and inspect all ports.
  • One firewall rule with WAF, IPS and AV, and this SSL/SSH inspection profile
Now the strange behavior : 
  • Like said the previous SSL certificate is a wildcard SSL certificate. This basically means it protects *.example.com and works fine with subdomain1.example.com as well as subdomain2.example.com and subdomain3.example.com
  • When I try SQL injection against subdomain1.example.com I got a WAF message which says "The transfer has triggered a Web Application Firewall." and "This transfer is blocked." <-- This is an expected behavior
  • But when I try the same SQL injection against subdomain2.example.com or subdomain3.example.com nothing is blocked at all it is like SSL decipher does not work. 
I didn't found anything in configurations which would say to fortigate, this SSL profile is only for subdomain1. I downloaded the entire configuration file and ran some grep, and didn't found anything regarding subdomain1, subdomain2 or subdomain3. 
 
Is someone else experiencing the same behavior ? Is this a known bug ? 
 
Thank you for your help, 
rhfred
#1

2 Replies Related Threads

    rhfred
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/21 01:48:55
    • Status: offline
    Re: SSL Inspection with wildcard certificate 2018/07/02 05:49:37 (permalink)
    0
    Hi all, 
     
    Does nobody reproduce this? 
     
    rhfred
    #2
    emnoc
    Expert Member
    • Total Posts : 4890
    • Scores: 300
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Inspection with wildcard certificate 2018/07/02 06:32:36 (permalink)
    0
    The diag debug flow cmd is your friend, but let's  backup, if it worked for subdomain1 and not subdomain2 or 3, what's different? I would dump the  certificate CN and AltName  field and start from that point.
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5