DescriptionBy default, the certificates used in HTTPS webgui management and SSLVPN web portal are using SHA-1 as the hashing algorithm.
Vulnerability scanners reported this as a vulnerability (CVE-2004-2761).
The certificate signature hash algorithm in use is deemed insecure due to it's susceptibility to a collision attack.
This vulnerability (CVE-2004-2761) could allow the malicious hackers to perform spoofing attack.
Browser vendors such as Microsoft, Google and Mozilla have committed to completely deprecating the acceptance of SHA-1 in their browsers by 2017 due to it's known weaknesses.
Solution1. In order to mitigate this vulnerability, there is a need to generate own self signed certificate.
2. The self signed certificate can be generated using the open source software (e.g OpenSSL).
3. After the self signed certificate has been generated, import the self signed certificate into the FortiGate firewall.
4. Steps:
- Download OpenSSL from the Internet.
- Generate a private key using OpenSSL.
# openssl.exe genrsa -out private.key 2048
- Generate a CSR using OpenSSL.
# openssl.exe req -out mycsr.csr -key private.key -new -sha256
- A private key and a CSR are now available.
- Check the hashing algorithm that has been used.
# openssl.exe req -in mycsr.csr -noout -text
- The signature algorithm is now shown as "sha256WithRSAEncryption".
- Create a self signed certificate using CSR and private key.
# openssl x509 -req -sha256 -days 365 -in mycsr.csr -signkey private.key -out mycert.crt
- At this point, 3 items are available:
# private key
# Certificate signing request (CSR)
# self signed certificate
- Import the certificate into the FortiGate:
# Log into the FortiGate via Webgui.
# Go to System > Certificates > Local Certificates
# Click on "Import".
# Select "Certificate".
# For "Certificate file", choose mycert.crt.
# For "Key file", choose private.key.
# For "Password", type in the password that was used to generate the CSR.
# For "Certificate Name", put in a preferred name.
# Click 'OK" to save the configuration.
# Log into the FortiGate via SSH.
# To change the HTTPS webgui management certificate, type in the commands:
config system global
set admin-server-cert mycert
end
# To change the SSLVPN web portal certificate, type in the commands:
config vpn ssl setting
set servercert mycert
end
5. The certificate used in HTTPS webgui management and SSLVPN web portal will now be using SHA-256 as the hashing algorithm.
6. This process mitigates the vulnerability (CVE-2004-2761).