FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mramalinga
Staff
Staff
Description
This article describes how to block invalid and revoked certificates and test on badssl site.

Solution
Under the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.





1) For https://revoked.badssl.com/

The page https://revoked.badssl.com/ is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.

Enable the OCSP status check via the following config change:
# config vpn certificate setting
    set ocsp-option certificate
    set ocsp-status enable           <-----
    set strict-crl-check enable
    set strict-ocsp-check enable
end
2) For https://wrong.host.badssl.com/

Below config is required to block invalid certificates:
# config firewall ssl-ssh-profile
    edit "Block_Invalid"
# config https
    set invalid-server-cert block    <-----
    set sni-server-cert-check strict <-----
end
3) For https://pinning-test.badssl.com/

Currently there is no plan to support Public-Key-Pins verification during SSL Inspection.
FortiGate administrators can manually block such websites using a WebFilter profile if needed.

Internal Notes
Forticare ticket# 4666879.

Related Articles

Technical Tip: FortiGate strict CRL check

Contributors