Helpful ReplySSL Decription

Author
Ydaew
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/30 05:06:21
  • Status: offline
2019/07/16 04:32:50 (permalink)
0

SSL Decription

Hello, 
I'm using FortiGate to decrypt web server traffic, how to know if the traffic is really decrypted from the FortiGate log itself ?
#1
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: SSL Decription 2019/07/16 08:50:48 (permalink) ☄ Helpfulby Ydaew 2019/07/16 23:55:42
0
You can monitor the logs and look at that fwpolicyid. A sure way is to inspect the client\server-hello. If you see the MiTM  forced certificate in the https lock in the browser, than you know a device was in the middle. Review the following 
 
http://socpuppet.blogspot.com/2017/11/ssl-state-cache-msie.html
 
The left screenshot is a proxy doing MiTM and the right is the correct ca-chain. https://crt.sh/ is a good tool to know the proper cert issuer details btw.
 
e.g ( to see all cert listed for example.com ) 
 
https://crt.sh/?q=%25.example.com
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
Jump to:
© 2019 APG vNext Commercial Version 5.5