SSL VPN - Certificate Error / TLS error
I hope someone is able to help me.
I'm currently having issues connecting to Fortigate 80E using SSL VPN. v6.2.3
I currently have 2 root certificates on the appliance.
CA1 - OLD root Certificate
CA2 - New Root Certificate
User1 - CA1(old cert)
Subject - CN=username (matches the user cert CN subject on the device)
User2 - CA2(new cert)
Subject - CN=username(matches the user cert CN subject on the device)
Error in connection.
I recieve different errors when i connect - sometimes its more the certificate error but other times its the TLS error.
This was originally working but now fully doesnt work. If i switch the cert for the user back to the old root CA and matching subject then they can connect without issues.
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1
Doing some debug on the appliance and trying to connect i managed to trace where the errors start comparing it to the working connection.
SSL state:SSLv3/TLS read client key exchange (Remote User IP)
SSL state:fatal decrypt error (Remote User IP)
SSL state:error:(null)(Remote User IP)
SSL_accept failed, 1:bad signature
Now first its been suggested that SSLv3 is disabled however i can't see how to do that on version 6.2 or above rather than setting the SSL min / max versions which are listed above. I have also ensured that all the TLS options within IE settings are selected when testing this out.
Ideally i need to get this sorted within the next couple of weeks as the users certs are expiring from the old root.
Could anyone post any suggestions?