FortiGate log message : "The SSL session was blocked because the server certificate was missing or invalid"
Description
Scope
WebFiltering, HTTPS inspection, FortiGuard, SSL
Solution
There are two possible root causes for this error:
This article provides details about the situation where a user is using certificate authentication and the session is blocked with the log error message "The SSL session was blocked because the server certificate was missing or invalid".
The error may be triggered if HTTPS inspection is enabled in the Web Filtering properties from a protection profile. This may be done by the following steps from the GUI :
1. Go to Firewall > Protection Profile.2. Edit 'profile_name'.3. Under FortiGuard Web Filtering, enabling FortiGuard Web Filtering for HTTPS.
Log error sample
| 38 2009-08-20 08:59:31 webfilter itime=1250773171 date=2009-08-20 time=21:59:30 devname=XXXXXXX device_id=XXXXXXXXXX log_id=0315093008 type=webfilter subtype=urlfilter pri=notice vd=root fwver=040003 policyid=1 serial=12619408 user="USER" group="DOMAIN\GROUP" profile="Myprofile" src=10.204.0.23 sport=3685 dst=10.70.202.225 dport=443 service=https status=blocked msg="The SSL session was blocked because the server certificate was missing or invalid." |
Scope
WebFiltering, HTTPS inspection, FortiGuard, SSL
Solution
There are two possible root causes for this error:
- This is not actual HTTPS traffic, but the traffic uses same port, is encrypted, and is not complaint to HTTPS RFC. Some applications, like TOR or UltraSurf would exhibit this problem.
- A server is expecting a client certificate and drops the connection when the client fails to provide the certificate.