Hot!Weak impersonation certificates blocking access to sites using ECC certificates

Author
tracyb
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/02 21:01:57
  • Status: offline
2019/09/02 22:16:28 (permalink) 6.2
0

Weak impersonation certificates blocking access to sites using ECC certificates

Scenario:
FortiOS: 6.2.1
Policy Inspection Mode: Proxy-Based
SSL Inspection: Full SSL Inspection (DPI-SSL)
 
DPI-SSL CA Certificate correctly installed in browser/OS.
 
Browse to a website using a 256bit Elliptic Curve Cryptography (ECC) certificate.
Sites that are using ECC certificates include www.google.com (but not www.google.co.nz), www.cloudflare.com, and sites which are behind CloudFlare’s CDN.
 
If the browser (eg Chrome, Safari) uses TLS1.3, the FortiGate will impersonate the site using a 1024bit RSA certificate.
If the browser (eg Internet Explorer) uses TLS 1.2, then the FortiGate will impersonate the site using a 256bit ECC certificate.
 
The problem:
On a Chromebook and MacOS 10.15, Chrome and Safari will give an invalid certificate warning, and not proceed to the site.  This is due to the 1024bit key being too weak.
Note: on windows Chrome doesn’t give a certificate warning.
 
Workaround:
Change the Policy Inspection Mode to Flow-Based.  Obviously you then don’t get the additional features that proxy based inspection allows - https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/721410/about-inspection-modes
 
 
Hopefully this will help others as it has taken us a while to get this sorted.
#1

0 Replies Related Threads

    Jump to:
    © 2019 APG vNext Commercial Version 5.5