Skip to main content
wafikmaher
wafikmaher
New Member
January 10, 2018
Solved

SSL Inspection Untrusted Certificate Issue

  • January 10, 2018
  • 2 replies
  • 16132 views

F-Gate 5.4.1

Inspection Mode: Proxy-based

Sec Profiles: SSL (full-inspections), Web, Proxy.

Client Firefox: version 46,47,56

Symptoms: All HTTPS connections failing.

Firefox error message: Secure Connection Failed

Packet Sniffer result (attached): Client-to-FG => 3 way handshake ok, Client SSL hello, FG ACK, FG RST. FG-to-Server=> 3-way handshake

Debug WAD (attached): Failing to load default Untrusted Certificate

Workaround: Use the Fortinet_CA_SSL default certificate (which is by default used for trusted re-sign) for untrusted as well, however this will work

Solution (1): Regenerate the default Untrusted Certificate (not sure if possible). Solution (2): Generate a new self-signed certificate for the Untrusted Certificate (not sure if possible). Solution (3): Generate a new CA-signed certificate for the Untrusted Certificate.

Best answer by wafikmaher

Hi Elthon,

i used "diagnose debug application wad 255", you can also use "diagnose debug application wad 130" which is more compact.

Regards,

Wafik

2 replies

Elthon_Abreu
Elthon_Abreu
New Member
February 3, 2018

Hi wafikmaher,

 

How did you get the WAD output? Wich command did you have used?

wafikmaher
wafikmaherAuthorAnswer
New Member
February 4, 2018

Hi Elthon,

i used "diagnose debug application wad 255", you can also use "diagnose debug application wad 130" which is more compact.

Regards,

Wafik

blackhole_route
blackhole_route
New Member
February 4, 2018

If you're still on 5.4.1 and doing web-filtering and ssl interception, I would suggest you consider upgrading to a more recent version (5.4.5 has been pretty stable for us in the 5.4 release). IIRC, we saw some very strange ssl signing issues when 5.4.1 was first released. 5.4.4 and then 5.4.5 were much more stable for our deployment doing webfiltering and a small amount of ssl interception.

wafikmaher
wafikmaherAuthor
New Member
February 4, 2018

Thanks Blackhole.

However this is a course lab, which need to run on certain release, so was hoping to find an easy workaround which makes sense on the same release, by replacing the build-in untrusted with a true self-signed (not CA signed) certificate, which is still don't know if supported on F-Gate, and how.. Will try to upgrade and test the lab on 5.4.5.

 

 

Baptiste
Baptiste
New Member
February 7, 2018

Hi you can check or change Untrust Ca on SSL Profile

 

Check 

config firewall ssl-ssh-profile edit *profile name*

get

 

Change

config firewall ssl-ssh-profile edit *profile name* set untrusted-caname *your cert" end

Terms & ConditionsAccessibility statement