Troubleshooting Tip: SSL certificate inspection not blocking sessions with expired certificates
| Description | This article describes how to handle an issue where SSL certificate inspection does not block sessions with expired certificates. |
| Scope | FortiGate. |
| Solution | In some scenarios, the configuration of Common Options in the SSL/SSH Inspection profile does not guarantee certificate expiration date, revocation, or other parameters.
For testing purposes, use the following URL: https://expired.badssl.com.
Despite how the feature has been enabled in the GUI:
For troubleshooting, enable IPS debugging on the device. This level of debugging is typically used when comprehensive details are needed to troubleshoot complex SSL issues. It can generate a large amount of output, so it should be used with caution, especially in production environments. It is highly recommended to enable the debug commands with source/destination/port filters.
To filter the traffic, use the command below:
diagnose ips filter set
This filter is a Berkeley filter, which allows the use of many parameters such as source, destination, and TCP/UDP ports. Example : Filter the traffic from source IP 1.1.1.1 and TCP port 443:
diagnose ips filter set 'src 1.1.1.1 and tcp port 443'
Verify the filter with the following command:
diagnose ips filter status DEBUG FILTER:
To troubleshoot the issue, enable the debugging as in the example below ;
diagnose debug reset diagnose debug console timestamp enable diagnose ips filter set 'host x.x.x.x' diagnose ips debug enable all diagnose ips debug status show diagnose ips ssl debug noise diagnose debug enable [2172@8]ips_transit_tcp_state: (C:SYN_SENT S:LISTEN) -- SYN -> failure: 1, whitelist: 0
The result of the validation is PASS:
[2172@8]ips_asm_set_seq: set asm seq: 07a8e573
This is expected behavior. Common Options are only validated by the IPS engine for policies in proxy mode or for Full SSL Inspection mode. |
