Description
This article describes how to block invalid and revoked certificates and test on badssl site.
Solution
Under the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.
Internal Notes
Forticare ticket# 4666879.
This article describes how to block invalid and revoked certificates and test on badssl site.
Solution
Under the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.
1) For https://revoked.badssl.com/
The page https://revoked.badssl.com/ is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.
The page https://revoked.badssl.com/ is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.
Enable the OCSP status check via the following config change:
Below config is required to block invalid certificates:
Currently there is no plan to support Public-Key-Pins verification during SSL Inspection.
# config vpn certificate setting2) For https://wrong.host.badssl.com/
set ocsp-option certificate
set ocsp-status enable <-----
set strict-crl-check enable
set strict-ocsp-check enable
end
Below config is required to block invalid certificates:
# config firewall ssl-ssh-profile3) For https://pinning-test.badssl.com/
edit "Block_Invalid"
# config https
set invalid-server-cert block <-----
set sni-server-cert-check strict <-----
end
Currently there is no plan to support Public-Key-Pins verification during SSL Inspection.
FortiGate administrators can manually block such websites using a WebFilter profile if needed.
Internal Notes
Forticare ticket# 4666879.
Related Articles
