Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
atomicbullet
New Contributor

SSL VPN - Certificate Error / TLS error

I hope someone is able to help me.

 

I'm currently having issues connecting to Fortigate 80E using SSL VPN. v6.2.3

 

I currently have 2 root certificates on the appliance.

 

CA1 - OLD root Certificate

CA2 - New Root Certificate

 

PKI users

User1 - CA1(old cert)

Subject - CN=username (matches the user cert CN subject on the device)

Connects fine

 

User2 - CA2(new cert)

Subject - CN=username(matches the user cert CN subject on the device)

Error in connection.

 

I recieve different errors when i connect - sometimes its more the certificate error but other times its the TLS error.

 

 

This was originally working but now fully doesnt work. If i switch the cert for the user back to the old root CA and matching subject then they can connect without issues.

 

Current Config:

ssl-max-proto-ver : tls1-3

ssl-min-proto-ver : tls1-1 Doing some debug on the appliance and trying to connect i managed to trace where the errors start comparing it to the working connection.

 

SSL state:SSLv3/TLS read client key exchange (Remote User IP) SSL state:fatal decrypt error (Remote User IP) SSL state:error:(null)(Remote User IP) SSL_accept failed, 1:bad signature

 

Now first its been suggested that SSLv3 is disabled however i can't see how to do that on version 6.2 or above rather than setting the SSL min / max versions which are listed above. I have also ensured that all the TLS options within IE settings are selected when testing this out.

 

Ideally i need to get this sorted within the next couple of weeks as the users certs are expiring from the old root.

 

Could anyone post any suggestions?

 

Thanks.

5 REPLIES 5
emnoc
Esteemed Contributor III

Is the cert trusted by the end-user? I would start at that point 1st and and then work forward.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
atomicbullet

The cert is fully trusted by the device - these are issued out through SCEP

 

We also use this cert for Cisco AnyConnect which works without issue - one difference between these is AC doesn't require the subject mapped to the user, rather just that there is a user cert there that matches the root cert on the appliance.

 

 

emnoc
Esteemed Contributor III

Can you show us what you mean by mapped to the user? Are you using  user or peer group?

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
atomicbullet

We're using PKI users along with subject name from the issued certficate to the user as advised by Fortigate when we initially set up the device. The user then selects the cert within the Forticlient and it should connect. This works correctly for the old cert/root but not the new one.

 

emnoc
Esteemed Contributor III

Yes that I understand di you run any diag debug sslvpnd -1 and look at the user when he/she comes in? Also if you justy do a blind accept for that rootCA that signed the certificate, does the client access the vpn? So just ignore the CN string and see if certificate is accepted on verification.

 

Also where did you set the  user peer  up , within the auth-rule ? Follow this blog thread for examples

 

https://socpuppet.blogspo...with-certificates.html

 

 

Ken Felix

SCTG-MS

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors