Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎10-01-2023 09:08 PM Edited on ‎09-18-2025 08:37 AM By Moderator

Article Id 276822

Technical Tip: SSL VPN user cannot be authenticated and connected to FortiGate running v7.4.0+

Description This article describes how to resolve the SSL VPN connection when using X509 certificates signed using SHA1.
Scope FortiGate, FortiClient.
Solution

In v7.4.x, FortiOS is using OpenSSL v3.0, which X509 certificates signed using SHA1 are no longer allowed at security level 1 (default level) and above.

 

To have a successful SSL VPN connection via FortiClient, set the minimum TLS version to tls1-1 which will lower the security level to 0:

 

config vpn ssl settings
    set ssl-min-proto-ver tls1-1  <-----
end

 

Using SHA 1 certificates is strongly discouraged due to known vulnerabilities. It is recommended to generate and deploy certificates signed with SHA-256 or higher.

 

Related article:

Technical Tip: FortiOS deprecated support for SHA-1 certificate for SSL VPN 
748
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.