Skip to main content
gbamania
Staff
gbamania
Staff
November 16, 2022

Technical Tip: How FortiGate performs Deep Inspection of the SSL/TLS communication between a Client and Server when Client Certificate Authentication is required by the Server

  • November 16, 2022
  • 0 replies
  • 6439 views
Description

This article describes a use case where SSL Deep Inspection is enabled on FortiGate and when the destination host/webserver requires the client to present its Client Certificate during SSL/TLS negotiation as part of authentication.
Scope FortiGate.
Solution

Currently, FortiGate does not support relaying the Client Certificate to the web server and at the same time performing Deep inspection of the SSL/TLS session in either of the following deep inspection modes.

 

Configuring Deep Inspection profile on FortiGate:


config firewall ssl-ssh-profile
    edit <Profile-name>
    server-cert-mode ?        

    re-sign <----- Multiple Clients Connecting to Multiple Servers.

 

or

replace      <----- Protect an SSL server.

 

config https

    set ports 443
    set client-certificate ?

    bypass     <----- Bypass the session.

    inspect    <----- Inspect the session.

    block      <----- Block the session.
end

  • When client-certificate setting is set to 'bypass', FortiGate will exempt that session from SSL deep inspection and pass the client certificate to the server for SSL/TLS negotiation. Deep inspection is not performed in this case.
  • When client-certificate setting is set to 'inspect', FortiGate performs deep inspection but won’t send the Client Certificate to Server. Thus, it could lead to SSL/TLS negotiation issues and connection drop. FortiOS does not support re-signing Client Certificates via deep inspection configuration. Only supported by FortiProxy.
  • When client-certificate setting is set to 'block', FortiGate will block the session when it receives the client-certificate during SSL/TLS negotiation.

 

Alternate Solutions:

  • Solution 1: Add website to SSL Exemption list (refer to this KB article: Exempting applications from SSL Inspection).
  • Solution 2: FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication between a client and server.

 

Related document:
mTLS client certificate authentication
    Terms & ConditionsAccessibility statement