Skip to main content
Diabolicus23
Diabolicus23
New Member
June 15, 2015
Question

HTTPS WebFiltering and HSTS: is it possible to avoid the certificate error message?

  • June 15, 2015
  • 3 replies
  • 21789 views

Hi all,

 

I'm using HTTPS WebFiltering with certificate only inspection in a FortiOS 5.0.x environment.

 

I've an Internal CA so everything works fine when the site I'm visiting is allowed but if it's not, the replacement message (in HTTPS) brings with him the error caused by HSTS.

I obtain the warning "The security certificate presented by this website was issued for a different website's address".

 

I'd like to avoid to disable the replacement message so... is there anything I could do?

 

Update: from a client side I'm able to prevent the warning above by disabling the "Warn about certificate address mismatch" in Internet Explorer (even if this is a "global" settings that shouldn't be disabled).

 

 

Thanks!

    3 replies

    FortiAdam
    FortiAdam
    New Member
    June 15, 2015

    I made a support inquiry on this issue a while back and they told me it would be fixed in 5.2.  I seem to remember testing it and having positive results but I'm still running 5.x in my prod environments.

     

    Can you advise what version of FortiOS you are running?

     

    If you are interested, you can disable the webfilter blockpage completely and just time out the session but I'm guessing that's not an acceptable solution.

     
    config webfilter profile
     
    edit <profile name>
     
    set https-replacemsg disble
     
    end
     
    Diabolicus23
    Diabolicus23Author
    New Member
    June 16, 2015
    Yep it seems that with flow-based webfiltering we can avoid the warning message but only in FortiOS 5.2.x
    In FortiOS 5.0.x the warning message appears.
     
    In both FortiOS we face the warning if we choose proxy webfiltering.
    aairey
    aairey
    New Member
    November 30, 2015
    Still not fixed in 5.2.3.
     
    Is this fixed in 5.2.4?
    66Stang
    66Stang
    New Member
    January 13, 2016
    Is there an option to have the Fortigate open a new browser tab/window and display the block page via HTTP instead of HTTPS?  If the page wasn't directly related to the HTTPS session it might remove the certificate error message.  I've not tested this so don't know if 5.x would support this type of config.  It sounds like the problem is related to the HTTPS redirect to the block page and certificate mismatch.  If the redirect was done via HTTP on a new browser window it might address the problem.
    Bromont_FTNT
    Staff
    Bromont_FTNT
    Staff
    January 14, 2016
    If the browser expects HTTPS with a valid signed certificate it trusts then it will always give an error/warning when it gets anything other than that. 
    
        
                                                
    
        
    
    
    

            
    
                                        
    
            
                        
    
                                                                                                            
            
    

    

    

        
    
                    
    
    
    
    

    

    
    
    

                                        
    
                                                        
    
            
        
    
    

    

    

                                    
    Terms & ConditionsAccessibility statement