Hot!SSL Inspection - connection reset

Author
Dmp
Bronze Member
  • Total Posts : 29
  • Scores: 2
  • Reward points: 0
  • Joined: 2012/06/05 13:49:47
  • Status: offline
2013/06/14 08:42:03 (permalink)
0

SSL Inspection - connection reset

Hi everyone,
I' ve been trying to figure out this issue for some time, i' m trying to implement SSL inspection for webfiltering and on some sites i' ve got connection resets while on others everything works beautifully.

My main issue is that one of these sites is Google, and Facebook is another, each time i want to access this sites with SSL inspection, a connection reset ocurrs.
A site that works, for example, www.ibm.com or support.fortinet.com.

The CA certificate in the Fortigate was correctly imported in the client, also was signed by our internal root_ca, so no issues there. Several browsers tested (IE, Chrome, Firefox), Windows & Linux also tested.

I attach a log with an attempt to access https://www.google.com.

My system: Fortigate 60D with FortiOS 5.0.3.

Any insight is welcome, thanks in advance.
#1

10 Replies Related Threads

    mbrowndcm
    Gold Member
    • Total Posts : 152
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/11/03 09:29:37
    • Location: nyc
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 11:00:15 (permalink)
    0
    That' s interesting that it works fine on some sites, but not all sites over https. Are you blocking some sites, and not others? You' re probably not blocking google.com, right?

    Try this instead:

    diag debug enable
    diag debug console timestamp enable
    diag debug flow show console enable
    diag debug flow show function-name enable
    diag debug flow filter addr 10.9.193.232
    diag debug flow filter port 443
    diag debug flow trace start 50


    Then try from 10.9.193.232.

    To stop and clear:

    diag debug disable
    diag debug flow filter clear
    diag debug reset



    Also try this:

    diag debug enable
    diag debug console timestamp enable
    diag debug app ssl -1


    To stop and reset:

    diag debug disable
    diag debug reset


    You may want to log printable output to a file by using puTTy.


    You might be seeing TCP RST because of your browser.

    " …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - Raymond Chen
    #2
    Dmp
    Bronze Member
    • Total Posts : 29
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/06/05 13:49:47
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 11:20:55 (permalink)
    0
    Hi mbrowndcm,
    Thanks for the reply, you are correct, google is not filtered, what is more, even with webfilter not active (just SSL inspection, no AV, WF, etc) the connection still gets resetted.
    Attaching the log you requested, you' ve got 2 tries to get to www.google.com with flow trace first and another one with the ssl debugging at last.

    Regards.
    #3
    mbrowndcm
    Gold Member
    • Total Posts : 152
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/11/03 09:29:37
    • Location: nyc
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 11:53:09 (permalink)
    0

    2013-06-14 15:12:06 69:ssl srv port close recv
    2013-06-14 15:12:06 69:shouldReset, type 1
    2013-06-14 15:12:06 [65]-<000.000000> [69]: 10.9.193.232:45210 --> 74.125.229.178:443: [SSL SVRRDRDY ] Event - RESET_EVENT
    2013-06-14 15:12:06 [65]-<000.000000> [69]: 10.9.193.232:45210 --> 74.125.229.178:443: [SSL SVRRDRDY ] RESET_STATE
    2013-06-14 15:12:06 [65]-[69] ips closed
    2013-06-14 15:12:06 ipsapp ses 69 close
    2013-06-14 15:12:06 ipsapp ses 69 send end msg 145 len 0 dir 0
    2013-06-14 15:12:06 69:checkConnectionEvent
    2013-06-14 15:12:06 69:resetConn
    2013-06-14 15:12:06 69:proxy_ssl_port_exit
    2013-06-14 15:12:06 69:proxy_ssl_port_close
    ...
    2013-06-14 15:12:09 70:checkConnectionEvent
    2013-06-14 15:12:09 check fd 12
    2013-06-14 15:12:09 clear client read
    2013-06-14 15:12:09 set client write
    2013-06-14 15:12:09 check fd 13
    2013-06-14 15:12:09 set server read
    2013-06-14 15:12:09 set server write
    2013-06-14 15:12:09 70:sslStateCheck
    2013-06-14 15:12:09 reset event
    2013-06-14 15:12:09 [65]-<000.000000> [70]: 10.9.193.232:45211 --> 74.125.229.178:443: [SSL LOOPEND ] Event - RESET_EVENT
    2013-06-14 15:12:09 [65]-<000.000000> [70]: 10.9.193.232:45211 --> 74.125.229.178:443: [SSL LOOPEND ] RESET_STATE
    2013-06-14 15:12:09 [65]-[70] ips closed
    2013-06-14 15:12:09 ipsapp ses 70 close
    2013-06-14 15:12:09 ipsapp ses 70 send end msg 147 len 0 dir 0
    2013-06-14 15:12:09 70:resetConn
    2013-06-14 15:12:09 70:proxy_ssl_port_exit
    2013-06-14 15:12:09 70:proxy_ssl_port_close


    ..seem interesting. Looks like your client is sending a RST.

    Sounds like a certificate error? What configuration method did you use? Did you install both the private key of the cert and the public cert to make the Fortigate a subordinate CA? " CA:TRUE" is listed in Certificate Details? [this was done by either using `openssl ca -extensions v3_ca` or by requesting a " subordinate CA" cert from a MSFT Windows CA]

    Sorry to review the trivialities.
    < Message edited by mbrowndcm -- 6/14/2013 12:12:16 PM >

    " …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - Raymond Chen
    #4
    Dmp
    Bronze Member
    • Total Posts : 29
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/06/05 13:49:47
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 12:15:00 (permalink)
    0
    Hi,
    I think that if there was a certificate error all sites should fail and/or give an incorrect certificate error (i' ve made my share of trial and errors last year ).
    The certificate was created in the Fortigate itself (Certificates -> Local Certificates -> Generate), so there shouldn' t be any issues with the keys, the CSR was downloaded and sent to our root_CA for validation, then the validated certificate was uploaded, i' m attaching a screenshot of the certificate itself.
    Oh, and i' ve already tried generating the key+cert outside the FG, then importing it, still same result.

    I thought of the browser, already tried IE 10, Firefox 21 & Chrome 27, plus the test machine used for the traces i' ve sent is a brand new installed Linux Mint 15 with Firefox 20 and Chromium 25, all browsers same result, tried using SSL 3.0 only, again, the result is the same.

    Don' t be sorry for asking the trivialities, i usually make mistakes so no harm done in checking again. :)

    Thanks for the input, its really appreciated.

    Attached Image(s)

    #5
    mbrowndcm
    Gold Member
    • Total Posts : 152
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/11/03 09:29:37
    • Location: nyc
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 12:46:57 (permalink)
    0
    Cool. I agree, if it was the cert, it would fail globally (of course!).

    Have you tried testing with a total other client like `curl`?
    curl --insecure https://google.com


    That' s interesting, seeing:

    <HTML><HEAD><meta http-equiv=" content-type" content=" text/html;charset=utf-8" >
    <TITLE>301 Moved</TITLE></HEAD><BODY>
    <H1>301 Moved</H1>
    The document has moved
    <A HREF=" https://www.google.com/" >here</A>.
    </BODY></HTML>


    What happens if:
    1) you create a URL Filter and exempt google.com?
    2) you disable " Block HTTP Redirects by Rating" ? (I know this won' t do anything)
    3) you access another 301 redirected page?
    4) Try to review the logs to see if web filter or app control are dropping the packets... what about other layers in your packet flow beyond the ssl mitm proxy and the firewall policies?
    5) If this was working before, but now is not, you can also try to restart the ssl daemon:

    diag test app ssl 99
    < Message edited by mbrowndcm -- 6/14/2013 12:58:28 PM >

    " …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - Raymond Chen
    #6
    Dmp
    Bronze Member
    • Total Posts : 29
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/06/05 13:49:47
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 13:33:51 (permalink)
    0
    Let' s start with the first (and end with the last).

    a - Our good friend curl gives error 35, unknown SSL protocol error in connection with www.google.com:443.

    1 - For tests sake i enabled WF and exempted google.com (it wasn' t enabled in the traces before), it gets a little better since now the redirect happens, but still after that the connection gets resetted (i' ve also already exempted my local google site).
    *Edit: Correct that, now it works... randomly, sometimes it resets, sometimes it works, let' s say works 85% of the time*
    2 - It wasn' t enabled to begin with, so you' re right, it doesn' t do anything. :)
    3 - See comment 1, yup.
    4 - No packets dropped in the logs, still, please take into account that this reset happens just by adding SSL inspection, no other modules are needed for the connection drop to happen (i' ve tried to simplify things, it fails with or without the other modules running); so the only things enabled ATM are Vdoms, SSL inspection and 1 firewall policy, that' s it.
    5 - It never worked, still, for tests sake

    webfilter (global) # diagnose test application sslacceptor 99
    2013-06-14 17:27:42 restarting ssl proxy

    webfilter (global) # diagnose test application sslworker 99

    SSL Worker 0:
    2013-06-14 17:27:50 restarting ssl proxy

    webfilter (global) #
    < Message edited by Dmp -- 6/14/2013 1:42:29 PM >
    #7
    mbrowndcm
    Gold Member
    • Total Posts : 152
    • Scores: 1
    • Reward points: 0
    • Joined: 2008/11/03 09:29:37
    • Location: nyc
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 13:48:51 (permalink)
    0
    Cool. I had a problem yesterday where all my HTTPS inspection... just... dropped... isolated in a single VDOM. wat. I restarted the `ssl` daemon and it worked.

    So you mean you simply have " Enable Deep Scanning" enabled in the protocol options object, don' t have HTTPS Deep Scanning enabled in a web filter, and no other UTM policies attached to the policy, and you are facing this state?

    That' s crazy, but I have no other idea. With my problem above, I quickly reverted to a _web filter_ I had with no HTTPS Deep Scanning enabled, and traffic passed through HTTPS (even with a protocol options object assigned with Enable Deep Scanning enabled!).

    I' d just call support.

    " …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - Raymond Chen
    #8
    Dmp
    Bronze Member
    • Total Posts : 29
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/06/05 13:49:47
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/14 14:03:52 (permalink)
    0
    Yes, i understand, i have the advantage that this is a brand new 60D so i can reboot it whenever needed.
    That' s what i mean, in FortiOS 5 " terms" , 1 policy (internal1 -> wan1, ALL to ALL protocols accepted), in " Security Profiles" just SSL Inspection enabled and no other funky stuff apart from the custom certificate, all this being contained in root vdom.

    I' ve unpacked the 60D 3 days ago and factory resetted, upgraded to 5.0.3, just created the vdoms and that' s it from the " hardware" POV. I don' t think that issue lies in the unit, but i' ll try with a brand new one on Monday and will also try to get a new MPLS line with my TelCo, all this is beyond weird..

    Anyway, as said before, i highly appreciate your feedback on the matter, thank you very much.
    < Message edited by Dmp -- 6/14/2013 2:06:08 PM >
    #9
    Dmp
    Bronze Member
    • Total Posts : 29
    • Scores: 2
    • Reward points: 0
    • Joined: 2012/06/05 13:49:47
    • Status: offline
    RE: SSL Inspection - connection reset 2013/06/17 10:37:23 (permalink)
    0
    Just a little follow-up, i' ve replaced the unit and still the same error, downgraded FortiOS to 5.01 (the lowest i can go on 60D) and still the same.

    Weirdly enough, i' ve tested it with one of my 60C and everything works beautifully, so either its FortiOS5 having a nasty behaviour or ...
    #10
    Rotempe
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/09 07:42:01
    • Status: offline
    Re: RE: SSL Inspection - connection reset 2018/11/15 23:18:09 (permalink)
    0
    I know it is old issue, but I got it now at 501e .

    I have 12 other models and this is the only one that as this issue.
    #11
    Jump to:
    © 2018 APG vNext Commercial Version 5.5