Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
duenlim
Staff
Staff

Created on ‎12-12-2023 10:41 PM Edited on ‎06-05-2025 06:55 PM By Moderator

Article Id 289042

Technical Tip: FortiOS deprecated support for SHA-1 certificate for SSL VPN

Description This article describes that it is not possible to access SSL VPN after upgrading to v7.2.5, v7.4 or above.
Scope FortiGate v7.2.5, v7.4 and above.
Solution

SHA-1 is considered a deprecated hashing algorithm:
Technical Tip: SHA versions for SSL Certificates and Limitations

 

FortiOS 7.2.5 and 7.4 are using OpenSSL 3.0, in which x509 certificates signed using SHA1 are no longer allowed at security level 1 (the default level) and above.

The error message from diagnose debug application sslvpn -1 is as follows:


No client certificate

 

When collecting packets from client machines, the certificate will not be found.

To work around it, under 'vpn ssl settings', apply 'set ssl-min-protocol to tls1-1' to lower the security level to 0. This is strongly discouraged unless strictly necessary.

 

Refer to Generate a new certificate to generate at least a SHA-256 certificate for SSL VPN.
2117
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.