Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
js2
Staff
Staff

Created on ‎08-29-2025 03:09 AM

Article Id 407693

Technical Tip: SSL VPN using smartcard certificate with PIN does not work with TLS v1.3 on Windows 11

Description This article describes a case where using a smart-card certificate for SSL VPN authentication fails under TLS v1.3 on Windows 11.
Scope

FortiClient v7.2.8, v7.2.9.

FortiGate v7.4.7.
Solution

SSL VPN debug with no client certificate.

 

2025-07-28 14:16:46 [393:root:142b0]disable RSA-PSS sigalgos.
2025-07-28 14:16:46 [393:root:142b0]SSL state:before SSL initialization (106.220.188.184)
2025-07-28 14:16:46 [393:root:142b0]SSL state:fatal decode error (106.220.188.184)
2025-07-28 14:16:46 [393:root:142b0]SSL state:error:(null)(106.220.188.184)
2025-07-28 14:16:46 [393:root:142b0]SSL_accept failed, 1:unexpected eof while reading
2025-07-28 14:16:51 [395:root:142af]No client certificate
2025-07-28 14:16:51 [387:root:142af]no SNI received
2025-07-28 14:16:51 [387:root:142af]client cert requirement: yes
2025-07-28 14:16:52 [387:root:142af]sslvpn_update_user_group_list:1792 cert peer check failed, ignore peer user group(s) which has set user-peer in auth rules
2025-07-28 14:16:52 [387:root:142af]sslvpn_update_user_group_list:1850 got user (6:0), group (6:0), peer group (1) after update.
2025-07-28 14:16:52 [387:root:142af]sslvpn_authenticate_cert_start:391 No client certificate received.
2025-07-28 14:16:52 [387:root:142af]sslvpn_authenticate_cert_start:391 No client certificate received.
2025-07-28 14:16:52 [387:root:142af]login_failed:480 user[e26flb1],auth_type=32768 failed [sslvpn_login_cert_checked_error]

 

FortiGate configuration:

 

kaon-kvm46 # config vpn ssl settings
kaon-kvm46 (settings) # show full | grep ssl
config vpn ssl settings
    set ssl-max-proto-ver tls1-3 
    set ssl-min-proto-ver tls1-2
    set ssl-insert-empty-fragment enable
    set ssl-client-renegotiation disable

 

 

As a workaround, disable TLS 1.3 and set the max version to TLS v1.2. 

 

config vpn ssl settings
    set ssl-max-proto-ver tls1-2
179
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.