Description
This article describes what happens when a custom certificate with an unsupported purpose is used during OFTP negotiation between FortiGate and FortiAnalyzer.
Scope
FortiAnalyzer v7.4.
Solution
FortiGate is configured to use a custom certificate for OFTP negotiation with FortiAnalyzer:
config log fortianalyzer setting
set status enable
set server "10.47.3.218"
set serial "FAZ-VM0000xxxxxx"
set certificate "localcert.crt"
set reliable enable
end
FortiAnalyzer has the corresponding CA certificate installed:
However, when FortiGate tries to initiate OFTP negotiation, the following error occurs on FortiAnalyzer:
[T4745:oftps.c:301] TLSv1.3 write server certificate verify
[T4745:oftps.c:301] SSLv3/TLS write finished
[T4745:oftps.c:301] TLSv1.3 early data
[T4746:oftps.c:301] TLSv1.3 early data
[T4746:oftps.c:524] VERIFY ERROR: depth=0, error=unsuitable certificate purpose: /C=MY/ST=England/O=Some Organization/CN=not-an-ssl-client
[T4746:oftps.c:322] SSL Alert write: fatal unsupported certificate
[T4746:oftps.c:332] error
[T4746:oftps.c:351] Error error:0A000086:SSL routines::certificate verify failed
[T4746:oftps.c:1865 :10.47.1.117] SSL accept failed. SSL_accept()=-1 SSL_get_error()=5
[T4746:oftps.c:2018 :10.47.1.117] SSL pid[4699] ssl[0x7f7628055bf0] shuting down sockfd[29] ip[10.47.1.117] connected[1]
[T4746:oftps.c:2031 :10.47.1.117] SSL_shutdown Error. SSL_get_error[1]
[T4746:oftps.c:2034] Error error:0A000197:SSL routines::shutdown while in init
FortiGate is not able to communicate with FortiAnalyzer:
hub # exe log fortianalyzer test-connectivity
Failed to get FAZ's status. Authentication Failed. (-19)
A closer inspection of the custom certificate in FortiGate shows that it was not generated with a clientAuth purpose:
To resolve this, make sure that the certificate is generated for SSL client authentication purposes. If OpenSSL is used to generate it, add clientAuth to the extendedKeyUsage field in the root CA configuration file (under the extension section used for signing local certificates) and generate another CSR to be signed by the root CA certificate once more.
Once a new certificate has been generated, verify that it is configured for SSL client purposes with the following command:
# openssl x509 -noout -text -purpose -in <new-cert>
Install the new certificate in FortiGate and configure it to be used for OFTP negotiation in the above CLI setting. FortiGate should be able to establish OFTP communication with FortiAnalyzer after that.
On FortiAnalyzer:
[T14463:oftps.c:301] TLSv1.3 write server certificate verify
[T14463:oftps.c:301] SSLv3/TLS write finished
[T14463:oftps.c:301] TLSv1.3 early data
[T14461:oftps.c:301] TLSv1.3 early data
[T14461:oftps.c:549] VERIFY OK: depth=1, /C=MY/ST=England/O=Some Organization/CN=some-org-ca
[T14461:oftps.c:549] VERIFY OK: depth=0, /C=MY/ST=England/O=Some Organization/CN=local-cert
[T14461:oftps.c:301] SSLv3/TLS read client certificate
[T14461:oftps.c:301] SSLv3/TLS read certificate verify
[T14461:oftps.c:301] SSLv3/TLS read finished
[T14461:oftps.c:301] SSLv3/TLS write session ticket
[T14461:oftps.c:301] SSLv3/TLS write session ticket
On FortiGate:
hub # exe log fortianalyzer test-connectivity
FortiAnalyzer Host Name: FortiAnalyzer
FortiAnalyzer Adom Name: root
FortiGate Device ID: FGVM
Registration: registered
Connection: allow
