DescriptionThis article describes how to block invalid and revoked certificates and test on badssl site.SolutionUnder the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.
1) For https://revoked.badssl.com/
The page https://revoked.badssl.com/ is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.
Enable the OCSP status check via the following config change:
# config vpn certificate setting
set ocsp-option certificate
set ocsp-status enable <-----
set strict-crl-check enable
set strict-ocsp-check enable
end
2) For https://wrong.host.badssl.com/
Below config is required to block invalid certificates:
# config firewall ssl-ssh-profile
edit "Block_Invalid"
# config https
set invalid-server-cert block <-----
set sni-server-cert-check strict <-----
end
3) For https://pinning-test.badssl.com/
Currently there is no plan to support Public-Key-Pins verification during SSL Inspection.
FortiGate administrators can manually block such websites using a WebFilter profile if needed.
Internal NotesForticare ticket# 4666879.Related Articles
Technical Tip: FortiGate strict CRL check