Skip to main content
scampos
Staff
scampos
Staff
January 7, 2025

Troubleshooting Tip: How to fix the certificate errors caused by the client-hello SNI check (Adobe example)

  • January 7, 2025
  • 0 replies
  • 13982 views
Description

This article describes a certificate error presented for some sites when using an SSL certificate-inspection profile in a Firewall Policy as the next example:

 

Adobe_certificate_issue.png

 

Even when in the Firewall rule, there are exemptions and allows set:

 

Adobe_firewall_exception.png

 

This happens because the SNI, SAN and CN is checked during the client-hello message and if it is different from the actual registered on the certificate for the page on the site is going to flag it as an untrusted host. The `ssl_sni_cert_check` uses the presence of the `SSL_SERVER_STATUS_SNI_VERIFIED` flag to determine if the SNI matched the CN/SAN.

 

scampos_0-1736275497118.png

 

In the example, it can be seen that the certificate is issued to *.adobe.com, but the Creative Cloud tools use *.creativecloud.adobe.com. This discrepancy can cause this kind of error when inspecting the traffic, even when all of this traffic is being allowed.
Scope FortiGate, FortiOS.
Solution

Go to Security Profiles > SSL/SSH Inspection and clone the certificate-inspection profile:

 

Screenshot 2025-01-07 125221.jpg

 

Open the cloned SSL inspection profile and in the SSL Inspection Options, select Disable the Server certificate SNI check:

Screenshot 2025-01-07 125413.jpg

 

After this, create a Firewall Rule for the specific service causing the issue:

 

Screenshot 2025-01-07 124805.png

 

And in the Security Profiles options, select the Clone of certificate-inspection profile:

 

Screenshot 2025-01-07 125910.jpg


This will solve the issue with the prompt for the untrusted host caused by the SNI check in the certificate inspection traffic.

 

Disclaimer

When SNI checks are disabled, FortiGate is unable to filter URLs if the CN (Common Name) in the server certificate does not match. This may result in inaccurate web traffic classification and filtering. Disabling SNI checks could result in a violation of security policies or laws that demand rigorous server identity verification.

 

When using a standard firewall policy with an Application Control profile and experiencing issues accessing Adobe services, ensure that all Adobe-related application signatures are allowed. Additionally, verify the Forward Traffic logs to identify whether any related signatures - such as Akamai or certificate-related signatures - are being blocked, and allow them accordingly if necessary.

Related article:
Troubleshooting Tip: How to fix 'SSL connection is blocked due to unable to retrieve servers certificate' received in the SSL Events
    Terms & ConditionsAccessibility statement