Skip to main content
Jay_Libove
Jay_Libove
New Member
August 14, 2013
Question

Linux forticlientsslvpn and chained root certificates?

  • August 14, 2013
  • 7 replies
  • 8531 views
I' ve just updated to FortiClientSSLVPN v5.0.4 on Linux. Kudos to FortiNet for adding the missing functionality of the profile manager to this version. I have a chained root SSL certificate on my FG100D. I did upload the intermediate (chained) CA root certificate to the FG100D. (See my other posts for that minor saga). The Linux FortiClientSSLVPN v5.0.4 complains (every time that the client is launched and a first connection is made to this FortiGate SSLVPN) that the certificate received from the FG100D is " invalid" . " Show Certificate" in FortiClientSSLVPN seems to show a subset of the full information about the certificate. In particular, it doesn' t list the certificate' s CN/DN. I doubt this is material; more likely a display bug; but maybe it is indicative. openssl s_client -connect fgsslvpn.mycompanyname.tld:8443 (DNS name slightly obfuscated) shows the correct certificate chain: 0: my cert, which is a wildcard cert for *.mycompanyname.tld, signed by DigiCert High Assurance CA-3; then 1: DigiCert High Assurance CA-3, signed by DigiCert High Assurance EV Root CA. Moreover, dumping a copy of the SSL certificate offered at fgsslvpn.mycompanyname.tld:8443 and reading it with openssl x509 -text shows the followed: X509v3 Subject Alternative Name: DNS:*.mycompanyname.tld, DNS:mycompanyname.tld, DNS:fortigate1.mycompanyname.tld, DNS:fgsslvpn.mycompanyname.tld In addition, both Chrome and Firefox running on the same Linux client, accessing the same SSLVPN URL, disagree with FortiClientSSLVPN' s assessment of the certificate' s validity. Chrome and firefox will open https://fgsslvpn.mycompanyname.tld:8443 with no complaint. So, the chain is there, the chain is correct, and the actual cert matches the DNS name in the SSLVPN URL (both taking into account the wildcard and also with an explicit Subject Alternative Name), and two web browsers think it' s fine. So, my guess is that the FortiClientSSLVPN v5.0.4 either does not properly handle wildcard certificates, or does not properly handle chained CA signatures. Either way, it needs to be fixed. Can anyone confirm/clarify this, so we can put it precisely to FortiNet please? I can' t hand my users a VPN client which give them a certificate security warning! thanks,

    7 replies

    emnoc
    emnoc
    New Member
    August 14, 2013
    You should really be opening a ticket in Fortinet support. Have you checked any release notes for any local conf files that might allow you to be less restrictive on certification validation? And to triple check certificate validation you could use; http://www.sslshopper.com/ssl-checker.html https://ssl-tools.verisign.com/#certChecker But it sounds like the fortivpnclient is jacked up [:' (]
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    August 14, 2013
    Thanks, I have also opened a ticket on this issue. The certificate checks out correctly with sslshopper' s ssl-checker.html. (Let' s just say that I' ve had enough gotcha moments with our chained root CA signatures by now. Sigh. Apache, Cisco, Dell ....) There do not seem to be any local configuration options for the Linux FortiClientSSLVPN client regarding certificate checking. (There' s rather few options for that client for anything). I guess it' s possible that the client relies entirely on a local SSL library, and the local SSL library could have a configuration option about chained root CA certificate signature checking, but that really isn' t the right way to do it for a commercial VPN client. thanks, Jay
    emnoc
    emnoc
    New Member
    August 14, 2013
    I betting your right or the client doesn' t know how to follow the chain. Either way you would think Fortinet would have allowed that. It' s kind of silly if they didn' t allow the client to verify any intermediate certificates. Have you tried another version and on another OS? I also had problems with clients on linux before in the past, but we changed the fortisslvpnclient and those issues went away. They where all connection failures btw and we never even kicked off the ssl-neg. Your problem is totally strange :)
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    August 14, 2013
    The Windows FortiClient for SSL VPN works without error on this same FG SSLVPN service. Android FortiClient 5beta is also happy with it. MacOSX also. So, yes, it' s particular to the Linux FortiClientSSLVPN. With what did you replace the Linux FortiClientSSLVPN for connections from Linux clients to FortiGate VPN servers? thanks.
    emnoc
    emnoc
    New Member
    August 14, 2013
    I used an older version of their client. Still fortinet. So have tried to update the client ? forticlientsslvpn_linux_4.4.2292.tar.gz
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    August 14, 2013
    This is happening with both the most current 4.4.2292 and immediately previous 4.3.22xx clients. We' ll see what FortiNet says to the ticket I opened on this point.
    Jay_Libove
    Jay_LiboveAuthor
    New Member
    September 12, 2013
    Here' s the answer. I apologise for not posting this sooner. There is no option in either the server or the client about this. (The server does have to have the CA cert chain loaded, which is addressed in other threads). The Linux client, although this is undocumented, must have a copy of the chained root certificates stored locally, one certificate per file, in the directory ~/.fctsslvpn_trustca/ in the home directory of every user of the Linux FortiClinet SSL VPN client on every Linux system they use. The format of each certificate file (whose names apparently don' t matter) in ~everyone/.fctsslvpn_trustca/ must be PEM, e.g. encoded between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. When FortiClientSSLVPN runs, it will find these files and create symlinks to them, in the same directory, with hex serialized names, e.g. I created two files named for the certs they contain, and FortiClientSSLVPN created two symlinks: 
     ubuntu@ubuntu-VirtualBox:~/.fctsslvpn_trustca$ ll  total 16  drwxr-xr-x  2 ubuntu ubuntu 4096 Sep  9 11:59 ./  drwxr-xr-x 24 ubuntu ubuntu 4096 Sep 12 16:53 ../  lrwxrwxrwx  1 ubuntu ubuntu   27 Sep  9 11:59 02b2d53d.0 -> DigiCertCA-intermediaCA.crt  lrwxrwxrwx  1 ubuntu ubuntu   24 Sep  9 11:59 244b5494.0 -> DigiCertEVMasterRoot.pem  -rw-r--r--  1 ubuntu ubuntu 2296 Aug 27 12:37 DigiCertCA-intermediaCA.crt  -rw-r--r--  1 ubuntu ubuntu 1367 Aug 27 12:38 DigiCertEVMasterRoot.pem
    When the FortiClientSSLVPN client makes a connection to an SSLVPN server which relies on this certificate chain, a bunch of debugging junk will spew into the text window from which FortiClientSSLVPN was run, and in any case an extra popup will appear with a cryptic message about the hex serialized name of the certificate in use, which must be acknowledged by the user. This will appear every time a connection is made to that SSL VPN server. Not ready for prime time...
    Terms & ConditionsAccessibility statement