Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them?
Thanks,
Brian
Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry.
You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI:
config firewall ssl-ssh-profile
edit custom-cert-inspection
config ssl
set inspect-all certificate-inspection
set sni-server-cert-check disable
end
end
I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection.
SNI and SAN are not the same. SNI has no impact on the certificate itself, whilst with SAN the CN may not be distinct.
@BrianB: Did you find an answer to your question? I am currently struggling to find a way to monitor SAN websites over https. Cloudflare uses this a lot.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.