Description
This article describes the purpose of SSL (Secure Sockets Layer) and TLS (Transport Layer Security), their role in network security, and the importance of using Fully Qualified Domain Names (FQDNs) over IP addresses for secure communications and SSL/TLS inspection by FortiGate firewalls.
Scope
FortiGate.
Solution
SSL and TLS:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols designed to secure communications over the Internet. TLS is the more recent and secure protocol, although the term SSL is still commonly used generically.
TLS (Transport Layer Security) is the direct successor to SSL, designed to fix SSL’s architectural flaws, not just patch them.
When people say:
- 'SSL certificate'.
- 'SSL VPN'.
- 'Enable SSL'.
They almost always mean TLS, not SSL. Examples:
- HTTPS = HTTP over TLS.
- FortiGate SSL VPN = actually uses TLS 1.2 / 1.3.
- The term SSL remains only for historical and marketing reasons.
HTTPS vs HTTP:
| Protocol |
Secure? |
Uses SSL/TLS? |
Browser Display |
| http:// |
No |
No |
No padlock |
| https:// |
Yes |
Yes |
Padlock |
Verification of the browser that the certificate belongs to the site.
There are two fields the browser looks at to verify if the certificate belongs to the site.
The preferred field is the Common Name (CN). This is the most common field for this purpose, although it acts the same way as the SAN.
The other field used for this is the Subject Alternate Name (SAN). This is used to have the same certificate on multiple domains.
It's also possible to use an IP Address in this field, instead of a domain. As long as the URL matches at least one of these fields, the domain/IP matches the certificate.
It is best practice to use an FQDN, even though IP addresses will work and have no security concerns.
Most certificates will only have the FQDN and not the IP address, so a cert error may be seen.
FortiGate and SSL/TLS:
FortiGates can inspect encrypted traffic using SSL Inspection to detect threats hidden in HTTPS sessions.
- Certificate Inspection: Validates server certificates without decrypting the session.
- Full SSL Inspection: Decrypts, scans, and re-encrypts traffic to ensure security.
Note:
Certain services, such as banking or backup applications, should be excluded from Full SSL Inspection to prevent disruption or data corruption.
SSL/TLS best practices:
- Use https:// for all secure connections.
- Avoid using IP addresses in SSL/TLS-enabled applications.
- Ensure all devices support current TLS versions.
- Do not bypass certificate warnings in browsers or applications.
Conclusion:
SSL and TLS protocols are essential for protecting data in transit. Their effectiveness depends on proper implementation and adherence to best practices, including using FQDNs instead of IP addresses. FQDNs ensure proper validation, inspection, and scalability across modern networks secured by FortiGate firewalls.
- SSL is outdated because it is fundamentally insecure.
- TLS fixes SSL’s design flaws and adds modern cryptography.
- TLS 1.2 / 1.3 is the only acceptable standard today.
- 'SSL' today is just a legacy name, not the protocol in use.
Related documents:
Getting started
What is TLS? (Cloudflare)
How HTTPS Works (Let’s Encrypt)
