Weak impersonation certificates blocking access to sites using ECC certificates
Policy Inspection Mode: Proxy-Based
SSL Inspection: Full SSL Inspection (DPI-SSL)
DPI-SSL CA Certificate correctly installed in browser/OS.
Browse to a website using a 256bit Elliptic Curve Cryptography (ECC) certificate.
Sites that are using ECC certificates include www.google.com
(but not www.google.co.nz
, and sites which are behind CloudFlare’s CDN.
If the browser (eg Chrome, Safari) uses TLS1.3, the FortiGate will impersonate the site using a 1024bit RSA certificate.
If the browser (eg Internet Explorer) uses TLS 1.2, then the FortiGate will impersonate the site using a 256bit ECC certificate.
On a Chromebook and MacOS 10.15, Chrome and Safari will give an invalid certificate warning, and not proceed to the site. This is due to the 1024bit key being too weak.Note: on windows Chrome doesn’t give a certificate warning.
Change the Policy Inspection Mode to Flow-Based. Obviously you then don’t get the additional features that proxy based inspection allows - https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes
Hopefully this will help others as it has taken us a while to get this sorted.