Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dieter
New Contributor

anyone else having trouble accessing microsoft.com ?

FortiOS 6.0.14, using ssl inspection.

Lately, browsing to microsoft.com or www.microsoft.com fails. Firefox throws error PR_END_OF_FILE_ERROR, Chrome ERR_CONNECTION_CLOSED.
No such problems with other subdomains like teams.microsoft.com.

 

I guess it's a configuration error on their side. They use akamai as CDN. I see quite some differences in supportes protocols and ciphers between microsoft.com (https://www.ssllabs.com/ssltest/analyze.html?d=microsoft.com&s=40.76.4.15&hideResults=on) and the particular akamai I landed on (https://www.ssllabs.com/ssltest/analyze.html?d=e13678.dscb.akamaiedge.net&s=23.62.177.155) .

 

Putting microsoft.com in the exemption list voor ssl inspection, resolves this issue obviously. But I'm not planning on implementing this kind of broad exeptions.

 

So, simple question: anyone else seeing this ?

2 REPLIES 2
mariopugliese
New Contributor III

I had a similar issue but not on microsoft.com with FortiOS 6.2.8 and 6.4.7.

As you, I used the SSL deep inspection and I added a lot of exempts for a workaround.

Recently, after reading the 6.4.8 release notes I saw the bug ID 750551  DST_Root_CA_X3 certificate is expired.

I upgraded in 6.4.8 and the issue was solved. I removed the added exempts.

I am really not sure this certificate is used by Microsoft. It is particularly by Let's Encrypt.

You already use the last version in 6.0 branch but nothing related to this bug on the release notes.

 

dieter

Thank you. I don't think it's related.

 

At the time of writing, microsoft.com resolved to an IP on akamai. That one served a very nasty certificate (this one: https://www.ssllabs.com/ssltest/analyze.html?d=e13678.dscb.akamaiedge.net&s=184.27.30.29&ignoreMisma...).

That was probably the reason for all alarms going off (as in: certificate is really bad, block it !)

 

microsoft.com resolves to somewhere else now and all is fine.