Hot!SSL VPN - Certificate Error / TLS error

Author
atomicbullet
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/10/22 10:02:55
  • Status: offline
2020/10/22 10:21:38 (permalink)
0

SSL VPN - Certificate Error / TLS error

I hope someone is able to help me.
 
I'm currently having issues connecting to Fortigate 80E using SSL VPN. v6.2.3
 
I currently have 2 root certificates on the appliance.
 
CA1 - OLD root Certificate
CA2 - New Root Certificate
 
PKI users
User1 - CA1(old cert)
Subject - CN=username (matches the user cert CN subject on the device)
Connects fine
 
User2 - CA2(new cert)
Subject - CN=username(matches the user cert CN subject on the device)
Error in connection.
 
I recieve different errors when i connect - sometimes its more the certificate error but other times its the TLS error.
 

 
This was originally working but now fully doesnt work. If i switch the cert for the user back to the old root CA and matching subject then they can connect without issues.
 
Current Config:
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1

Doing some debug on the appliance and trying to connect i managed to trace where the errors start comparing it to the working connection.
 
SSL state:SSLv3/TLS read client key exchange (Remote User IP)
SSL state:fatal decrypt error (Remote User IP)
SSL state:error:(null)(Remote User IP)
SSL_accept failed, 1:bad signature
 
Now first its been suggested that SSLv3 is disabled however i can't see how to do that on version 6.2 or above rather than setting the SSL min / max versions which are listed above. I have also ensured that all the TLS options within IE settings are selected when testing this out.
 
Ideally i need to get this sorted within the next couple of weeks as the users certs are expiring from the old root.
 
Could anyone post any suggestions?
 
Thanks.
#1

5 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: SSL VPN - Certificate Error / TLS error 2020/10/22 11:07:24 (permalink)
    0
    Is the cert trusted by the end-user? I would start at that point 1st and and then work forward.
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    atomicbullet
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/22 10:02:55
    • Status: offline
    Re: SSL VPN - Certificate Error / TLS error 2020/10/22 11:20:49 (permalink)
    0
    The cert is fully trusted by the device - these are issued out through SCEP
     
    We also use this cert for Cisco AnyConnect which works without issue - one difference between these is AC doesn't require the subject mapped to the user, rather just that there is a user cert there that matches the root cert on the appliance.
     
     
    #3
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: SSL VPN - Certificate Error / TLS error 2020/10/22 15:18:50 (permalink)
    0
    Can you show us what you mean by mapped to the user? Are you using  user or peer group?
     
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #4
    atomicbullet
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/10/22 10:02:55
    • Status: offline
    Re: SSL VPN - Certificate Error / TLS error 2020/10/23 05:03:25 (permalink)
    0
    We're using PKI users along with subject name from the issued certficate to the user as advised by Fortigate when we initially set up the device. The user then selects the cert within the Forticlient and it should connect. This works correctly for the old cert/root but not the new one.
     

    #5
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: SSL VPN - Certificate Error / TLS error 2020/10/23 07:27:46 (permalink)
    0
    Yes that I understand di you run any diag debug sslvpnd -1 and look at the user when he/she comes in? Also if you justy do a blind accept for that rootCA that signed the certificate, does the client access the vpn? So just ignore the CN string and see if certificate is accepted on verification.
     
    Also where did you set the  user peer  up , within the auth-rule ? Follow this blog thread for examples
     
    https://socpuppet.blogspo...with-certificates.html
     
     
    Ken Felix
    SCTG-MS

    PCNSE 
    NSE 
    StrongSwan  
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5