Hot!Deep SSL Inspection OCSP Issue?

Author
ndDallasDan
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/28 15:47:36
  • Status: offline
2019/01/28 16:09:34 (permalink) 5.6
0

Deep SSL Inspection OCSP Issue?

I have a site currently beta testing (in production unfortunately) a Deep SSL inspection profile with a 201E on 5.6.7 with content filtering.  We have experienced really inconsistent end-user experience. 
 
Firstly, the SSL profile is deployed using a cert generated on the Fortigate and signed by our internal issuing CA, the FGT has the trust chain installed, all client machines trust the certificate presented by the FGT--issue isn't related to chain of trust regarding the cert being presented by the FGT to the client machines.  Client machines intentionally do not trust the "Fortigate Bad" certificate that the FGT replaces bad certificates with, by design.  Client machines use Chrome. 
 
The problems cannot be reliably replicated.  Users report that certain sites will load 'after a couple of tries', and some content fails to ever load (possibly content in a blocked category), the issue I'm trying to nail down relates to sites that load 'after a couple of tries'.
 
One of the challenges with FGT deep inspection directly relates to the MiTM--whereby we are forcing (rather hoping) the FGT will perform checks on the certificate that the browser would perform before allowing the traffic.  There is a balancing act here in my view as the WORSE outcome would be MiTM that forgoes the checks that the browser would normally do and causes a user to 'trust' a site because it's presented as trusted by the browser (when re-wrapped in the trusted FGT inspection cert).  Perhaps I'm overthinking this risk.  As a result of that mindset we have the following options set:
 
config vpn certificate setting
set ocsp-status enable
set ssl-ocsp-status enable
set ssl-ocsp-option certificate


In reviewing the logs and checking the debugs I can see there are 'authentication failures' logged, tracing them, they appears strongly to be the result of the FGT either performing these OCSP checks and failing, or not getting timely responses to OCSP queries perhaps and then logging a failure.  I believe this may be at the root of the inconsistent end-user experience.  The failure rate as a percentage of queries can be quite large at times and could account for this inconsistent end-user experience. 
 
Any thoughts or guidance here?
#1
Jump to:
© 2019 APG vNext Commercial Version 5.5