Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BrianB
New Contributor III

6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)

Is the Fortigate default certificate-inspection profile able to see SAN names in an SSL cert or does it even attempt to see them?

 

Thanks,

Brian

2 REPLIES 2
mjcrevier
New Contributor III

Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry.

 

You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI:

 

config firewall ssl-ssh-profile

 edit custom-cert-inspection

  config ssl

   set inspect-all certificate-inspection

   set sni-server-cert-check disable

  end

 end

 

I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection.

DanielW
New Contributor II

SNI and SAN are not the same. SNI has no impact on the certificate itself, whilst with SAN the CN may not be distinct.

@BrianB: Did you find an answer to your question? I am currently struggling to find a way to monitor SAN websites over https. Cloudflare uses this a lot.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors