| Description |
This article describes a certificate error presented for some sites when using an SSL certificate-inspection profile in a Firewall Policy as the next example:
Even when in the Firewall rule, there are exemptions and allows set:
This happens because the SNI, SAN and CN is checked during the client-hello message and if it is different from the actual registered on the certificate for the page on the site is going to flag it as an untrusted host. The `ssl_sni_cert_check` uses the presence of the `SSL_SERVER_STATUS_SNI_VERIFIED` flag to determine if the SNI matched the CN/SAN.
In the example, it can be seen that the certificate is issued to *.adobe.com, but the Creative Cloud tools use *.creativecloud.adobe.com. This discrepancy can cause this kind of error when inspecting the traffic, even when all of this traffic is being allowed. |
| Scope | FortiGate, FortiOS. |
| Solution |
Go to Security Profiles > SSL/SSH Inspection and clone the certificate-inspection profile:
Open the cloned SSL inspection profile and in the SSL Inspection Options, select Disable the Server certificate SNI check:
After this, create a Firewall Rule for the specific service causing the issue:
And in the Security Profiles options, select the Clone of certificate-inspection profile:
Disclaimer: When SNI checks are disabled, FortiGate is unable to filter URLs if the CN (Common Name) in the server certificate does not match. This may result in inaccurate web traffic classification and filtering. Disabling SNI checks could result in a violation of security policies or laws that demand rigorous server identity verification. |
