| Description | This article describes how to fix the 'SSL connection is blocked due to unable to retrieve servers certificate' error received in the SSL Events at Security Events. |
| Scope | FortiGate, Flow-based inspection. |
| Solution |
After upgrading to v7.4.5 or v7.2.11, users may start experiencing connection failures to websites in the form of connection resets (e.g. ERR_CONNECTION_RESET). In the FortiGate Security Events -> SSL Logs, there may be log entries with Log ID 1700062305 and the Message 'SSL connection is blocked due to unable to retrieve the server's certification'.
This issue is more likely to occur if flow-based inspection is the primary mode used for Firewall Policies before and after the firmware upgrade, and this error typically indicates a problem with the SSL certificate validation for those domains, specifically when the FortiGate tries to send TLS probes as part of inspecting the server's TLS certificate.
This occurs is because of Change #1004258, which was introduced in v7.2.11, v7.4.5, and v7.6.1. For context, the FortiGate needs to perform TLS certificate probing when inspecting TLS-based connections (such as HTTPS for web traffic) so that it can retrieve the server's certificate and determine the destination that a user is trying to access. If this TLS probe fails for some reason (for example, the FortiGate's probe can't reach the destination web server), then the FortiGate needs to determine if the connection should be blocked or allowed.
To control this behavior, an option called cert-probe-failure was introduced into the SSL inspection profile as of Change #698487, with the default behavior being set to block (i.e. if the probe fails, block the connection since the destination is not verified). However, this option previously only controlled the behavior for Firewall Policies using proxy-based inspection; when using flow-based Firewall Policies, the cert-probe-failure option was ignored, and the behavior was to always allow connections if the probes failed.
As of v7.2.11, v7.4.5, v7.6.,1 and later, the cert-probe-failure setting now applies to Firewall Policies using flow-based inspection. However, this means that any FortiGate sites that used flow-based Firewall Policies and were already having TLS probe failures could suddenly start to experience connection issues after performing a firmware upgrade. When this occurs, the Forward Traffic logs will show web traffic sessions being blocked, and the associated SSL logs in the Security Events will show the following message:
SSL connection is blocked due to an inability to retrieve the server's certificate.
Refer to the following Release Notes sections for further information (search for '1004258'): FortiOS 7.4.5 Release Notes - Changes in default behavior FortiOS 7.2.11 Release Notes - Changes in default behavior
Solutions: If it is not possible to address the TLS probing failures (e.g., correcting routing issues), then the following are good options for preventing disruption to user traffic:
Solution 1: cert-probe-failure: As noted above, cert-probe-failure now influences both flow-based inspection and proxy-based inspection, as of versions v7.2.11, v7.4.5, and v7.6.1. Previously in v7.2.10, v7.4.4, and v7.6.0 (and all earlier), flow-based inspection had a non-modifiable behavior that was identical to set cert-probe-failure allow. In contrast, now it is modifiable, and the default setting is block.
With that in mind, one solution is to modify an SSL profile and set cert-probe-failure to allow, as it would have the same security posture and user-friendly behavior that previous FortiOS versions had:
config firewall ssl-ssh-profile edit <profile_name> config https set ports 443 end end
Note: Starting from v7.6.0, the default behavior for cert-probe-failure has been changed from block to allow, as per Change #1028017, meaning that certificate probe failures will now be permitted by default unless explicitly configured otherwise. (See also: FortiOS 7.6.0 Release Notes - Resolved Issues.)
At config SSL, the cert-probe-failure is not an option
config firewall ssl-ssh-profile edit <profile_name> config ssl set inspect-all disable end end
Important notes:
config firewall ssl-ssh-profile edit <profile_name config ssl unset inspect-all end next end
Further information on certificate probing is discussed here: Troubleshooting Tip: How to allow HTTPS (port 443) traffic when certificate-probe-failed error occur....
To push this configuration to multiple units (FortiGates) via FortiManager, refer to the following procedure:
After following these steps, push the SSL-SSH profile-related configuration to the desired FortiGate units via FortiManager.
Solution 2: sni-server-cert-check: As an alternative to setting cert-probe-failure to allow, administrators could also consider setting sni-server-cert-check to disable, as disabling SNI checks will also prevent TLS probing from being performed at all.
To do this, create/clone an SSL inspection profile and either toggle off Server certificate SNI check in the GUI or run set sni-server-cert-check disable in the CLI. Once this is done, assign the new SSL inspection profile to the flow-based Firewall Policies:
config firewall ssl-ssh-profile edit <profile_name> config https set sni-server-cert-check disable end end end
Similar to Solution 1, this change can also be pushed via FortiManager:
Solution 3: Resolve underlying TLS probing failures: In most cases, it is possible to fix TLS probing failures by reviewing the routing and the network path that the FortiGate uses to reach a remote web server. Refer to the following knowledge base articles for further tips and suggestions on resolving certificate probing issues, as well as information on certificate inspection in general:
|
