SSL errors are messages that indicate issues related to the establishment of secure SSL connections. In the context of FortiWeb and SSL client authentication, two common SSL errors are mentioned:

1.  X509 Error(20) - unable to get local issuer certificate: This error occurs when FortiWeb is unable to obtain the local issuer certificate of the client's SSL certificate. It may indicate that the client's certificate is not issued by a trusted certificate authority (CA) or that there is an issue with the CA's certificate.
2. SSL Error(199) - peer did not return a certificate: This error occurs when the client does not return a certificate during the SSL handshake process. It suggests that the client failed to provide a valid SSL certificate for authentication.

To resolve SSL client authentication failures in FortiWeb, follow these steps:

1. Disable 'Ignore SSL Errors': Ensure that the 'Ignore SSL Errors' option in Log Config -> Other Log settings is disabled. This setting ensures that SSL errors are logged and not ignored.
2. Review SSL Error Logs: Monitor the FortiWeb logs for SSL error entries. Look for entries similar to the ones mentioned above ('X509 Error(20)' or 'SSL Error(199)').
3. Import and Update CA Certificates: If clients provide new CA certificates for client certificate authentication, need to import and update the 'Certificate Verify' profile used by the Server Policy.
4. Certificate Verify Profile: In FortiWeb, the 'Certificate Verify' profile is used to authenticate user certificates during SSL client authentication. Ensure that this profile is correctly configured and up-to-date.
5. CA Group Selection: In the CA (Certificate Authority) group configuration, select multiple CA certificates that the 'Certificate Verify' profile can use for authenticating user certificates. This ensures that a variety of CA certificates can be accepted during the SSL handshake.
6. Intermediate Certificates: Note that the 'Certificate Verify' profile may not support using intermediate certificate groups. Ensure that the CA certificates used are the root or trusted CA certificates and do not rely on intermediate certificates.

Testing and Verification:

• After making the necessary configurations and updates, thoroughly test SSL client authentication to ensure that SSL errors are resolved and clients can successfully authenticate using their certificates.