Show Original Server Certificate from SSL server when SSL Inspection is enabled

Forum|Forum|10 years ago
March 11, 2016
1 reply
12777 views

Verifying server certificate on SSL Inspection's "diagnose debug application fnbamd -1" does not show the certificate in my 5.2.6.

Additionally, Fortinet has wisely decided to remove "diagnose debug application ssl" and "diagnose test application sslworker" - it's no longer available in 5.2.6. "More is less".

So, how can I determine Original Server Certificate offered by origin-server?

hop_FTNT

Staff

Certificate information from "diagnose debug application fnbamd -1" can be seen only at the first time visiting the website.

Due to code improvement, sslworker has been removed. So does the debug command of it. Some debug functions are merged in "dia test application proxyworker".

500D_UP (global) # dia test application proxyworker Proxy Worker 0 - worker: pw 0:s Proxy Worker Test Usage pw 0:s pw 0:s 1: Dump Memory Usage pw 0:s 2: Dump vdom list pw 0:s 3: Display pid pw 0:s 4: Display stats for all protocols pw 0:s 13: Clear SSL exempt cache pw 0:s 14: Clear SSL bypass cache pw 0:s 42: Dump SSL exempt and bypass cache pw 0:s 43: Dump SSL session list pw 0:s 4444: Display per vdom stats for all protocols pw 0:s 5: Display debug log stats pw 0:s 6: Toggle Print Stat mode every ~40 seconds pw 0:s 88: Toggle statistic recording pw 0:s 94: Disable SO_LINGER pw 0:s 95: Enable SO_LINGER pw 0:s 96: Disable Nagle for SSL connections (default) pw 0:s 97: Enable Nagle for SSL connections pw 0:s 99: Restart proxy

AlexFerenAuthor

New Member

> Certificate information from "diagnose debug application fnbamd -1" can be seen only at the first time visiting the website.

That is not what I see, observe:

On Fortigate:

FG60C (global) # diagnose debug application fnbamd -1 FG60C (global) # diagnose debug enable

On client:

$ curl -Ik https://www.mattel.com HTTP/1.1 503 Service Unavailable Content-Type: text/html Cache-Control: no-cache Content-Length: 770 X-Iinfo: 10-18487729-0 0NNN RT(1458015904641 9) q(0 -1 -1 1) r(0 -1) U5 Date: Tue, 15 Mar 2016 04:25:04 GMT Connection: keep-alive Set-Cookie: visid_incap_726338=3gUyqZR2Td2naIr6x0ts4qCO51YAAAAAQUIPAAAAAADc4zmhLi41wqAoQQCC4eTr; expires=Tue, 14 Mar 2017 17:05:25 GMT; path=/; Domain=.x.incapdns.net Set-Cookie: incap_ses_413_726338=NXPoBgXhujHReJH7pUW7BaCO51YAAAAAuyy+buCc4O66hqeirRYwgg==; path=/; Domain=.x.incapdns.net X-Robots-Tag: all

On Fortigate:

fnbamd_fsm.c[2145] handle_req-Rcvd auth_cert req id=671334420 fnbamd_auth.c[1328] check_cert-following cert chain depth 0 fnbamd_auth.c[1328] check_cert-following cert chain depth 1 fnbamd_auth.c[1608] cert_check_group_list-group list is null fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 671334420

No server certificate shown!

AlexFerenAuthor

New Member

Confirmed by Fortinet support that certificate information display (by logs or debug) is no longer possible.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded