6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB

Mark Thread UnreadFlat Reading Mode ❐

Hot!6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Author Post Essentials Only Full Version
BrianB New Member Total Posts : 19 Scores: 1 Reward points: 0 Status: offline 2019/09/20 09:30:27 (permalink) 0 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them? Thanks, Brian #1 2 Replies Related Threads
mjcrevier Bronze Member Total Posts : 23 Scores: 2 Reward points: 0 Joined: 2014/04/28 18:04:36 Status: offline Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2019/10/01 14:52:36 (permalink) 0 Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry. You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI: config firewall ssl-ssh-profile edit custom-cert-inspection config ssl set inspect-all certificate-inspection set sni-server-cert-check disable end end I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection. #2
DanielW New Member Total Posts : 11 Scores: 0 Reward points: 0 Joined: 2015/03/13 01:15:44 Status: offline Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2020/05/07 02:52:04 (permalink) 0 SNI and SAN are not the same. SNI has no impact on the certificate itself, whilst with SAN the CN may not be distinct. @BrianB: Did you find an answer to your question? I am currently struggling to find a way to monitor SAN websites over https. Cloudflare uses this a lot. #3

Jump to:

© 2020 APG vNext Commercial Version 5.5