- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Bug: Incorrect IKEv2 Digital Signature by FortiCli...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bug: Incorrect IKEv2 Digital Signature by FortiClient 7.4.4/7.4.5
Trying to set up an IKEv2 client-certificate-based IPsec connection from a FortiClient 7.4.4 to a FortiGate VPN Gateway results in the following error in the FortiGate log when evaluating the received IKE_AUTH request:
ike V=root:0:IPSec-Client:176: certificate validation succeeded
ike V=root:0:IPSec-Client:176: signature verification failed
ike V=root:0:IPSec-Client:176: auth verify done
ike V=root:0:IPSec-Client:176: responder AUTH continuation
ike V=root:0:IPSec-Client:176: authentication failed
Parsing the received IKE_AUTH request sent by the FortiClient, we see that the AUTH payload of type Digital Signature (14) defined by RFC 7427 is missing the one octet ASN.1 length field and the following ASN.1 OID of the Algorithm Identifier. Only the raw 64 octet ECDSA 256 Bit Signature has been added:
2F Next Payload: 47 - CP
00 C/Reserved
0048 Length: 72 Octets = 8 + 64 Octets (2*256 Bits)
0E Auth Method: 14 - Digital Signature (RFC 7427)
000000 Reserved
ASN.1 Length: ? (missing)
ASN.1 Algorithm Identifier (OID): ? (missing)
419F71D30B3E1B4D5BFE153186893C1EC589BF954F4CC5A3C679480985D35B22
4715542B4422AA17F7C679BAE4C0ED2334A8C64D64BA6BBC6F333D423B866D93
The same failure when using an 3072 Bit RSA with SHA256 digital signature where only the raw 384 octet signature is present but the preceding ASN.1 OID is missing as well:
2F Next Payload: 47 - CP
00 C/Reserved
0188 Length: 392 Octets = 8 + 384 Octets (3072 Bits)
0E Auth Method: 14 - Digital Signature (RFC 7427)
000000 Reserved
ASN.1 Length: ? (missing)
ASN.1 Algorithm Identifier (OID): ? (missing)
65F376FF7E21AC8B5D6A61FF3B4A61C13A2F7CE12835F2E8579F1FA966D3C66C
4FBA28D07F17AD8E5D0696FAD5095533E4102A5C3A31456D38C59D7E77EFF33C
BBBA12B225FFA14C340149A09ECB7E705719726DAE11CC8FA55F2A522D51BCBB
0EB8FA4DDFFABBB567BF4C822D8F20B45B522985B711374984BC269FDF66E024
60A555237F07FAA444FB39CAB903214E5FB903D7512DBD3CD31FE233D9D92403
CE03B6F8FDEFF965F024AA0A21364CD040B44D2FA3D71240D2EE2B77E0C789AA
0AD4CEFF9BB3CEC690FEAA2FA63A12189A0263E24EB7B633F2406F2CD37E047C
C33AEF9BB3FFC87B81864C9A18059393A5139C49F504F41D0C2D7E94FA61FA06
7BC5AE52282C3C0455686278A342D77FDE1B7A9F24BADB0F5B9FDE7C8AACB25C
7ED68B005E9461C3E5580E295C89D64940C531E968E777DD85182EEFAFB1523C
117EBA9A2F74AC4BD4B7AC8DF27DB5A2163DA3B0AB9513363E69975C858879DA
56F8104EB93F02AEB105020A8506F292390D99F84C561D17D53045BD02B8A551
Is this bug going to be fixed in the next FortiClient release?
Labels:
- Labels:
-
FortiClient
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
maybe it helps, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-signature-verification-faile...
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Today I installed the latest FortiClient Release v7.4.5 but unfortunately the IKEv2 Digital Signature bug persists as the following IKE_AUTH request parsing of the AUTH payload
for an ecdsa-with-sha256 Digital Signature shows:
2F Next Payload: 47 - CP
00 C/Reserved
0058 Length: 88 Octets = 8 + 16 + 64 Octets (2*256 Bits)
0E Auth Method: 14 - Digital Signature (RFC 7427)
000000 Reserved
0F ASN.1 Length: 15 Octets
30 0D ASN.1 Sequence: 13 Octets
06 09 ASN.1 OID: 9 Octets
2A 86 48 86 F7 0D 01 01 0C : sha384WithRSAEncryption (wrong)
05 00 ASN.1 NULL
9A99C92FEBE71ACC06C5CA110584EE60BB8F005400664C6C604AFB1DE2AF9B60
242860FF498AFEEED6BD6B044913BC11F1E761A1BB93B8D1A27BF93D4809F6EE
The correct ASN.1 Algorithm Identifier encoding according to RFC 7427 is:
0C ASN.1 Length: 12 Octets
30 0A ASN.1 Sequence: 10 Octets
06 08 ASN.1 OID: 8 Octets
2A 86 48 CE 3D 04 03 02 : ecdsa-with-sha256
A slightly different different error occurs with an 3072 bit RSA Digital Signature.
The Algorithm Identifier could now be correct but the signature verification still fails:
2F Next Payload: 47 - CP
00 C/Reserved
0198 Length: 408 Octets = 8 + 16 + 384 Octets (3072 Bits)
0E Auth Method: 14 - Digital Signature (RFC 7427)
000000 Reserved
0F ASN.1 Length: 15 Octets
30 0D ASN.1 Sequence: 13 Octets
06 09 ASN.1 OID: 9 Octets
2A 86 48 86 F7 0D 01 01 0C : sha384WithRSAEncryption
05 00 ASN.1 NULL (no parameters)
3498BF31CDB5D249FCEBDAF2FF2312987EE2030D4B8E4EE9452AF51BC6299906
90FFD4D998E0DD6B531C5EE780263B2670C363D3996F84E2C71CEDE137428C23
A3D87A699527C4E47A1BE891DF402308E5BC2A54A36E6FDD725A5485E33BBFA7
45F631E700B7AB9C75257A66F01586D45525E42BB1FBCCE8D9EFEBD9F87A975D
4F9DDC680423554872238D42712B8E9F3E7245ED31BD3112FCB7E270DF72F211
B6AC38B2E04FBEF915498A6F4789FDC0AE68EC3CD56285BA48604F0B339B97F7
CEFDF549A9410293EE4331200BCE3F9BA9367C99FB3B8C6D136E707FCEC2AFB3
3F9FD5220C90DEB441D0BAAC0B4F8778675F097482BE408750230B3FCB2E3F0C
FCA129FDF8D664A0346D194AA4184483DED441F0ED50D9F1FB09A22AB0896611
7BBDAE5EBDF0AC895632E011F3BD363480F927C1209D0A18D17416DCB87DA411
4C88DBCA151A8573975030CF3EC697EC92ED49DA15897EB546F38C4AA2E7CF80
F55A2236B5F26C8A8AABACD836E966DE013FA1D723803CCB207C1F90F036E018
It might be that instead of the announced sha384WithRSAEncryption a different
RSA signature algorithm was used.
So there is still quite some bug fixing to be done:
Depending on the actual signature scheme selected by the FortiClient for a
given private key type, the correct ASN.1 Algorithm Identifier according to
RFC 7427 must be implemented.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I analyzed the failed 3072 bit RSA signature in the last post by decrypting it with
the client certificate's public key:
3498BF31CDB5D249FCEBDAF2FF2312987EE2030D4B8E4EE9452AF51BC6299906
90FFD4D998E0DD6B531C5EE780263B2670C363D3996F84E2C71CEDE137428C23
A3D87A699527C4E47A1BE891DF402308E5BC2A54A36E6FDD725A5485E33BBFA7
45F631E700B7AB9C75257A66F01586D45525E42BB1FBCCE8D9EFEBD9F87A975D
4F9DDC680423554872238D42712B8E9F3E7245ED31BD3112FCB7E270DF72F211
B6AC38B2E04FBEF915498A6F4789FDC0AE68EC3CD56285BA48604F0B339B97F7
CEFDF549A9410293EE4331200BCE3F9BA9367C99FB3B8C6D136E707FCEC2AFB3
3F9FD5220C90DEB441D0BAAC0B4F8778675F097482BE408750230B3FCB2E3F0C
FCA129FDF8D664A0346D194AA4184483DED441F0ED50D9F1FB09A22AB0896611
7BBDAE5EBDF0AC895632E011F3BD363480F927C1209D0A18D17416DCB87DA411
4C88DBCA151A8573975030CF3EC697EC92ED49DA15897EB546F38C4AA2E7CF80
F55A2236B5F26C8A8AABACD836E966DE013FA1D723803CCB207C1F90F036E018
The actual data signed with the FortiClients's private key has the following
plaintext PKCS#1.5 padded form:
00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff
...
ff ff ff ff ff ff ff ff-ff ff ff ff 00
30 21 ASN.1 Sequence: 33 Octets
30 09 ASN.1 AlgorithmIdentifier: 9 Octets
06 05 ASN.1 OID: 5 Octets
2b 0e 03 02 1a : sha-1
05 00 ASN.1 NULL (no parameters)
04 14 ASN.1 OctetString: 20 Octets
3f 41 14 57 a4 e7 8f 0d 85 7b 4b fd 99 05 1c a7 6d db 2d 23
Thus the actual signature computed by the FortiClient was sha1WithRSAEncryption not sha384WithRSAEncryption as announced in the IKEv2 Digital Signature payload.
Therefore it is clear that the signature verification on the FortiGate side is bound to fail.
Labels
-
FortiGate
11,019 -
FortiClient
2,263 -
FortiManager
927 -
FortiAnalyzer
703 -
5.2
687 -
5.4
638 -
FortiSwitch
610 -
FortiClient EMS
606 -
FortiAP
578 -
IPsec
474 -
6.0
416 -
SSL-VPN
408 -
FortiMail
388 -
5.6
362 -
FortiNAC
315 -
FortiWeb
267 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
215 -
FortiAuthenticator
195 -
FortiGuard
164 -
FortiGate-VM
158 -
5.0
152 -
Firewall policy
152 -
6.4
128 -
FortiCloud Products
122 -
FortiSIEM
116 -
FortiToken
116 -
FortiGateCloud
113 -
Wireless Controller
97 -
High Availability
95 -
Customer Service
91 -
Routing
85 -
SAML
84 -
ZTNA
84 -
FortiProxy
81 -
Authentication
76 -
VLAN
76 -
BGP
75 -
DNS
74 -
Certificate
74 -
Fortivoice
73 -
FortiEDR
73 -
FortiADC
73 -
RADIUS
68 -
LDAP
66 -
FortiLink
62 -
SSO
61 -
NAT
58 -
FortiSandbox
57 -
Interface
55 -
FortiExtender
53 -
Application control
52 -
VDOM
50 -
4.0MR3
49 -
Virtual IP
48 -
Logging
44 -
FortiDNS
43 -
SSL SSH inspection
42 -
FortiPAM
41 -
Web profile
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiConnect
36 -
Automation
36 -
FortiWAN
32 -
FortiConverter
31 -
API
30 -
Traffic shaping
29 -
FortiGate v5.2
28 -
FortiGate Cloud
27 -
Static route
27 -
SNMP
26 -
SSID
26 -
System settings
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
OSPF
23 -
WAN optimization
22 -
Web application firewall profile
22 -
FortiMonitor
21 -
Security profile
20 -
Web rating
20 -
IP address management - IPAM
20 -
FortiSOAR
19 -
FortiAP profile
18 -
Admin
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
IPS signature
15 -
Users
15 -
Traffic shaping policy
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
FortiManager v5.0
13 -
DNS filter
13 -
FortiDeceptor
12 -
Fabric connector
12 -
Port policy
12 -
FortiWeb v5.0
11 -
FortiBridge
11 -
FortiRecorder
11 -
trunk
11 -
Traffic shaping profile
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Application signature
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Packet capture
8 -
Vulnerability Management
8 -
4.0
7 -
4.0MR2
7 -
VoIP profile
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Service
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
Video Filter
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
FortiEdge
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiPresence
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2857 | |
| 1443 | |
| 823 | |
| 816 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.