FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff
Description
FortiOS supports RSA-PSS signature algorithm starting version 6.0.x.
Recent MS Windows update 2004.19041 introduced new schannel features, ie. TLS 1.3 support, including RSA_PSS signatures.

In case the authentication is done using crypto cards, also these cards must support the RSA_PSS signature scheme.
When the crypto card does not support the RSA_PSS the MS Windows will not negotiate a different signature scheme and the authentication fails.

This is a known issue with a Belgian public eID cards.

Solution
In case you are currently using FortiOS 5.6.x or older version, before upgrading, confirm the crypto card does support the RSA_PSS signature scheme.

The workaround was implanted in FortiOS 6.4.5 and is also present in 7.0.x:
# config vpn ssl settings
    set client-sigalgs no-rsa-pss
end
In case a FortiOS version that does support RSA-PSS is already running (FortiOS 6.0.x, 6.2.x), but doesn’t support this workaround, disable the update of MS Windows 10 to version 2004.19041 or newer, unless the issue is addressed by Microsoft.

Contributors