Technical Tip: Upgrade to the latest MS Windows 10 version breaks the SSLVPN login using PKI with some crypto cards
Description
FortiOS supports RSA-PSS signature algorithm starting version 6.0.x.
Recent MS Windows update 2004.19041 introduced new schannel features, ie. TLS 1.3 support, including RSA_PSS signatures.
In case the authentication is done using crypto cards, also these cards must support the RSA_PSS signature scheme.
When the crypto card does not support the RSA_PSS the MS Windows will not negotiate a different signature scheme and the authentication fails.
This is a known issue with a Belgian public eID cards.
Solution
In case you are currently using FortiOS 5.6.x or older version, before upgrading, confirm the crypto card does support the RSA_PSS signature scheme.
The workaround was implanted in FortiOS 6.4.5 and is also present in 7.0.x:
FortiOS supports RSA-PSS signature algorithm starting version 6.0.x.
Recent MS Windows update 2004.19041 introduced new schannel features, ie. TLS 1.3 support, including RSA_PSS signatures.
In case the authentication is done using crypto cards, also these cards must support the RSA_PSS signature scheme.
When the crypto card does not support the RSA_PSS the MS Windows will not negotiate a different signature scheme and the authentication fails.
This is a known issue with a Belgian public eID cards.
Solution
In case you are currently using FortiOS 5.6.x or older version, before upgrading, confirm the crypto card does support the RSA_PSS signature scheme.
The workaround was implanted in FortiOS 6.4.5 and is also present in 7.0.x:
# config vpn ssl settingsIn case a FortiOS version that does support RSA-PSS is already running (FortiOS 6.0.x, 6.2.x), but doesn’t support this workaround, disable the update of MS Windows 10 to version 2004.19041 or newer, unless the issue is addressed by Microsoft.
set client-sigalgs no-rsa-pss
end