6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Author
BrianB
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Status: offline
2019/09/20 09:30:27 (permalink)
0

6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them?
 
Thanks,
Brian
#1

1 Reply Related Threads

    mjcrevier
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/04/28 18:04:36
    • Status: offline
    Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2019/10/01 14:52:36 (permalink)
    0
    Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry.
     
    You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI:
     
    config firewall ssl-ssh-profile
     edit custom-cert-inspection
      config ssl
       set inspect-all certificate-inspection
       set sni-server-cert-check disable
      end
     end
     
    I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection.
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5