Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nchandan
Staff
Staff

Created on ‎08-30-2024 01:53 AM Edited on ‎08-30-2024 02:14 AM By Moderator

Article Id 337795

Troubleshooting Tip: Fixing the error 'The server you want to connect to request identification, please choose the certificate and try again later'

Description

 

This article describes SSL VPN users with certificate-based authentication unable to connect and see the disconnect of FortiClient at 48%.

 

Scope

 

FortiGate.

 

Solution

 

This issue will be observed, once the Firmware is upgraded from version 7.0.14 to 7.2.5 or above as lower encryption sha-1 certificates are used  for certificate-based authentication for SSL VPN. Lower Signature user-based certificates that use SHA-1 are no longer supported on 7.2.5 and above.

 

Debug logs:
The collected debug logs for SSL VPN shows as below:

 

[347:root:2563]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)

[347:root:2563]SSL state:before SSL initialization (x.x.x.)

[347:root:2563]SSL state:fatal decode error (x.x.x.x)

[347:root:2563]SSL state:error:(null)(x.x.x.x)

[347:root:2563]SSL_accept failed, 1:unexpected eof while reading

[347:root:2563]Destroy sconn 0x7f26b8e55800, connSize=0. (root)

[344:root:2566]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)

[344:root:2566]SSL state:before SSL initialization (x.x.x.x)

[344:root:2566]SSL state:before SSL initialization (x.x.x.x)

[344:root:2566]got SNI server name: y.y.y.y (null)

[344:root:2566]client cert requirement: yes

[344:root:2566]SSL state:fatal handshake failure (x.x.x.x)

[344:root:2566]SSL state:error:(null)(x.x.x.x)

[344:root:2566]SSL_accept failed, 1:no suitable signature algorithm

[344:root:2566]Destroy sconn 0x7f26b8e55800, connSize=0. (root)

 

Debug Logs Observation:

  • The debug shows the below error in multiple instances:


Fatal handshake failure due to "no shared cipher" or "no suitable signature algorithm."

 

  • The logs indicate that the SSL handshake fails because the server and user cannot agree on a shared cipher or suitable signature algorithm.

 

To resolve the issue, the following steps must be taken for the user's PC to use the newly signed certificate for the user with signature algorithm sha256 or above, as SHA-1 is no longer supported on 7.2.5.

 

Screenshot 2024-08-30 123150.png

 

After updating the certificate on the user's PC, try to initiate the connection for SSL VPN again and now the connection is established successfully without any errors.

 

SSL VPN debug command.
Use the following diagnose commands to identify SSL VPN issues.
These commands enable debugging of SSL VPN with a debug level of -1 for detailed results.

 

diagnose debug application sslvpn -1
diagnose debug enable

 

To disable the debug:

 

diagnose debug disable
diagnose debug reset

434
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.