Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cravikumar
Staff
Staff

Created on ‎03-13-2025 11:48 PM

Article Id 380281

Troubleshooting Tip: FortiGate-1500D SSL VPN certificate errors after upgrading to v7.2.2+

Description

This article describes why SSL VPN stops working after upgrading from v7.0.x to v7.2.x in the FortiGate-1500D model. The SSL VPN debugs show 'no shared cipher' and the browser displays 'SSL_ERROR_NO_CYPHER_OVERLAP':

 

image (10).png
Scope FortiGate-1500D
Solution

From the config file, under SSL VPN settings, the server cert is 'Fortinet_Factory'.

 

GortiGate-1500D is a CP8 platform and the 'Fortinet_Factory' is 1024-bit.

 

FortiOS was upgraded to OPENSSL 3.0.2 since v7.2.1 0752141, the 'Fortinet_Factory' does not fit OPENSSL 3.0 requirement, which causes the SSL handshake to fail.

 

Debugs:

 

FortiGate-1500D # 2022-12-02 13:22:58 [357:root:2]allocSSLConn:306 sconn 0x7f8ba56b1800 (0:root)
2022-12-02 13:22:58 [357:root:2]SSL state:before SSL initialization (10.10.170.16)
2022-12-02 13:22:58 [357:root:2]SSL state:fatal decode error (10.10.170.16)
2022-12-02 13:22:58 [357:root:2]SSL state:error:(null)(10.10.170.16)
2022-12-02 13:22:58 [357:root:2]SSL_accept failed, 1:unexpected eof while reading
2022-12-02 13:22:58 [357:root:2]Destroy sconn 0x7f8ba56b1800, connSize=0. (root)
2022-12-02 13:22:59 [358:root:2]allocSSLConn:306 sconn 0x7f8ba56b1800 (0:root)
2022-12-02 13:22:59 [358:root:2]SSL state:before SSL initialization (10.10.170.16)
2022-12-02 13:22:59 [358:root:2]SSL state:before SSL initialization (10.10.170.16)
2022-12-02 13:22:59 [358:root:2]no SNI received
2022-12-02 13:22:59 [358:root:2]client cert requirement: no
2022-12-02 13:22:59 [358:root:2]SSL state:fatal handshake failure (10.10.170.16)
2022-12-02 13:22:59 [358:root:2]SSL state:error:(null)(10.10.170.16)
2022-12-02 13:22:59 [358:root:2]SSL_accept failed, 1:no shared cipher
2022-12-02 13:22:59 [358:root:2]Destroy sconn 0x7f8ba56b1800, connSize=0. (root)
2022-12-02 13:22:59 [359:root:2]allocSSLConn:306 sconn 0x7f8ba56b1800 (0:root)
2022-12-02 13:22:59 [359:root:2]SSL state:before SSL initialization (10.10.170.16)
2022-12-02 13:22:59 [359:root:2]SSL state:before SSL initialization (10.10.170.16)
2022-12-02 13:22:59 [359:root:2]no SNI received
2022-12-02 13:22:59 [359:root:2]client cert requirement: no
2022-12-02 13:22:59 [359:root:2]SSL state:fatal handshake failure (10.10.170.16)
2022-12-02 13:22:59 [359:root:2]SSL state:error:(null)(10.10.170.16)
2022-12-02 13:22:59 [359:root:2]SSL_accept failed, 1:no shared cipher

 

Creating an SSL VPN cert on FortiGate will resolve the issue:

 

config vpn ssl settings
    set ssl-max-proto-ver tls1-2
    set ssl-min-proto-ver tls1-0
set servercert "Fortinet_Factory"<-----
    set algorithm low
    set idle-timeout 14400

end

 

To create a certificate, Go to VPN -> SSL VPN Settings -> Server Certificate -> Create Certificate -> Generate Certificate.

 

cer1.png

 

cer2.png

 

Once generated, replace the old SSL VPN certificate with the new one.
Labels:
43
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.