Hot!6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Author
BrianB
New Member
  • Total Posts : 19
  • Scores: 1
  • Reward points: 0
  • Status: offline
2019/09/20 09:30:27 (permalink)
0

6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them?
 
Thanks,
Brian
#1

2 Replies Related Threads

    mjcrevier
    Bronze Member
    • Total Posts : 23
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/04/28 18:04:36
    • Status: offline
    Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2019/10/01 14:52:36 (permalink)
    0
    Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry.
     
    You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI:
     
    config firewall ssl-ssh-profile
     edit custom-cert-inspection
      config ssl
       set inspect-all certificate-inspection
       set sni-server-cert-check disable
      end
     end
     
    I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection.
    #2
    DanielW
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/13 01:15:44
    • Status: offline
    Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection) 2020/05/07 02:52:04 (permalink)
    0
    SNI and SAN are not the same. SNI has no impact on the certificate itself, whilst with SAN the CN may not be distinct.
    @BrianB: Did you find an answer to your question? I am currently struggling to find a way to monitor SAN websites over https. Cloudflare uses this a lot.
    #3
    Jump to:
    © 2020 APG vNext Commercial Version 5.5