Hot!SSL/SSH Inspection Challenge - Invalid Digital Signature

Author
BK_LGW
New Member
  • Total Posts : 17
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/14 10:39:09
  • Status: offline
2020/07/09 13:09:46 (permalink)
0

SSL/SSH Inspection Challenge - Invalid Digital Signature

Hello all. I'm experiencing some difficulties with using Web Filtering and SSL Inspection. My test policy has blocked the usual culprits (social media, gambling, porn, etc.) and I have a test machine and user going to the Internet via the policy. 

This is what I've done:
- Acquired root and subordinate CA certs from my sub ca server, imported them into FGT as root and sub CAs respectively.
- Created a local CA for the FGT via the Issuing server (my sub ca server)
- Created an SSH/SSL Inspection profile utilizing the local CA object 
- Created a Web Filter profile blocking the usual suspects
- Created policy outlining both the SSL Inspection and Web Filter profiles and made it so only a single user/PC combo hits it
 
Below are some of the issues I'm having with some websites. Others are blocked and show the block page as expected. All HTTPS websites. What am I doing wrong?

post edited by BK_LGW - 2020/07/09 13:19:35

Attached Image(s)

#1

8 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1711
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: online
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/09 16:40:50 (permalink)
    0
    Has the security cert been imported into the browser of the client (test) workstation?

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #2
    BK_LGW
    New Member
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/14 10:39:09
    • Status: offline
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/10 06:55:31 (permalink)
    0
    Thank you for your quick reply. The root and sub ca certs were already in the Trusted Root CA and Intermediate CA stores due to AD membership. I manually imported the FGT's local cert into the Intermediate CA store. I've been using MS Edge and Internet Explorer which I believe uses the PC's certificate stores, so yes, it should be seen by the test client.
    #3
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/10 08:37:28 (permalink)
    0
    The output clearly says other wise. Is the certificate ( root/subca ) trusted by that machine and browser? Also if is FF it does not use the OS cert-store.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #4
    BK_LGW
    New Member
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/14 10:39:09
    • Status: offline
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/10 09:07:03 (permalink)
    0
    Thanks, Ken. What's strange is that the appropriate block page does show up for some pages with the same configuration.
    Admittedly, the block page does say "Not secure" as well. I'm not sure if that's by design or not. How can I show you beyond a doubt that the certificates are trusted?
     

    Attached Image(s)

    #5
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/10 10:51:29 (permalink)
    0
    That error is typically one of the follow
     
     
    • Authority certificate may expire, not trusted,etc..
    • Browser security settings
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Dave Hall
    Expert Member
    • Total Posts : 1711
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: online
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/10 13:09:06 (permalink)
    0
     
    May or may not apply, but had this KB#FD37342 bookmarked with the intent to test it out to resolve an issue we were having in the past.   For us it wasn't so much the cert on the original page/site but was the cert on the popup override page.

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #7
    BK_LGW
    New Member
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/14 10:39:09
    • Status: offline
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/13 11:08:34 (permalink)
    0
    Dave Hall
     
    May or may not apply, but had this KB#FD37342 bookmarked with the intent to test it out to resolve an issue we were having in the past.   For us it wasn't so much the cert on the original page/site but was the cert on the popup override page.


    Thank you, Dave. I haven't used any kind of override in my own config, but just to confirm, the cert from the override page would be the one from the FGT acting as the MITM, yes?

    Even then, the proposed fix wouldn't apply to my situation, I think.
    #8
    BK_LGW
    New Member
    • Total Posts : 17
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/14 10:39:09
    • Status: offline
    Re: SSL/SSH Inspection Challenge - Invalid Digital Signature 2020/07/13 11:12:33 (permalink)
    0
    emnoc
    That error is typically one of the follow
     
     
    • Authority certificate may expire, not trusted,etc..
    • Browser security settings
     
    Ken Felix



    Thank you, Ken. The issue persist, even though I followed this post to set it up (https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/680736/microsoft-ca-deep-packet-inspection). I can't see how it would be the browser security settings when twitter.com causes the error but other pages like instagram.com and gambling.com are blocked properly, meaning the block page shows as expected. Wouldn't the fact that those work without issue also mean that the certificate from FGT and higher CAs are indeed trusted?
    #9
    Jump to:
    © 2020 APG vNext Commercial Version 5.5