Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB

Mark Thread UnreadFlat Reading Mode ❐

Hot!6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Author Post Essentials Only Full Version
BrianB New Member Total Posts : 18 Scores: 1 Reward points: 0 Status: offline 2019/09/20 09:30:27 (permalink) 0 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them? Thanks, Brian #1 1 Reply Related Threads
mjcrevier New Member Total Posts : 18 Scores: 0 Reward points: 0 Joined: 2014/04/28 18:04:36 Status: offline Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2019/10/01 14:52:36 (permalink) 0 Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry. You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI: config firewall ssl-ssh-profile edit custom-cert-inspection config ssl set inspect-all certificate-inspection set sni-server-cert-check disable end end I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection. #2

Author

Post

Essentials Only Full Version

BrianB

New Member

Total Posts : 18
Scores: 1
Reward points: 0
Status: offline

2019/09/20 09:30:27 (permalink)

6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them?

Thanks,
Brian

1 Reply Related Threads

mjcrevier

New Member

Total Posts : 18
Scores: 0
Reward points: 0
Joined: 2014/04/28 18:04:36
Status: offline

Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2019/10/01 14:52:36 (permalink)

Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry.

You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI:

config firewall ssl-ssh-profile
edit custom-cert-inspection
config ssl
set inspect-all certificate-inspection
set sni-server-cert-check disable
end
end

I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection.

Jump to: