I have DPi setup and running on one Policy on our cluster (2 3700D v5.2.4,build688). The rule is only for my laptop. After following the Cookbook steps on importing the Fortigate CA onto my laptop everything appears to be working very well. Safe search is working and I haven't ran into any other major problems except Skype on 365, but I believe it might be tied into the current situation I'm trying to solve. On Chrome (again everything works well) I click on the SSL link in the URL and it shows me that Chrome verified the FortiGate CA..... Then it says:
"Your connection to www.netflix.com is encrypted using an obsolete cipher suite. The connection is encrypted using AEA_128_CBC, with HMAC-SHA1 for message authetnication and ECDHE_RSA as the key exchange mechanism.
If I lookup the same thing on my desktop (which doesn't hit a Policy that uses DPI) I don't get the obsolete cipher error. I did connect to the CLI and ran the: "set strong-crypto enable" , but I still get the error. Do I need to configure the Fortigate more?
Any help would be appreciated!
Thanks in advance!
B
Chrome is very rigid when it comes to certificates, and that is actually a good thing.
The solution is to not use the built-in certificates. They use old "easier" ciphers, for compliance reasons (I guess), and are there for test reasons only (imo). Since the Fortigate does a man-in-the-middle - That is: terminates the session from your laptop and open a new one to the webserver, bakes a new certificate for the site you are visiting and signs it with the Fortigate CA cert, you will not get a better cipher in the certificate then the Fortigate root one, no matter what settings you use. Hence the warning in Chrome.
If you have a PKI infrastructure running, use that. Import the CA certificate, and issue and import a sub-CA certificate to the Fortigate (NOT a plain SSL-certificate!). Or create your own CA and make sure all clients trust it. Anyway works. The important part to remember is that the certificate used for SLL-termination in the Fortigate need to have issuer rights (It needs to have the right to issue new certificates), wich makes the Fortigate a sub-CA/Issuer in the PKI infrastructure.
Richie
NSE7
If you dump your ssl hellos you will see that negotiated cipher between you and the fortigate was AEA_128_CBC, with HMAC-SHA1, chrome is just being ....."Chrome"
I bet you if you use a different browser of set Chrome to not Negotiated that cipher than you would be okay. I'm also betting in your FortiOS the FortiGate cert is a sha1 cert. I believe the certificate pubkeysize was change to 2048bits in 5.2.6 irrc ( some one correct me I'm too lazy to find the release notes ;)
So if you craft 2k bit CSR have it sign by a external CA or a internal CA and report that into the fortigate than you would be golden and reduce the obsolete ciphers from the client to include any RC4 ciphers ( sha or md5 )
i would start by looking at your client browser
https://www.ssllabs.com/ssltest/viewMyClient.htmll
And by running test ssl against the netfix site to learn more
PCNSE
NSE
StrongSwan
Like said emnoc, try upgrade to 5.2.8. Versions after 5.2.5 has new ciphers.
regards,
Paulo R.
emnoc
Regards, Paulo Raponi
Thanks for the info!
I'll probably go the route of upgrading and see if that fixes it. @emnoc, you are correct, when I tried other browsers they didn't complain.
User | Count |
---|---|
2551 | |
1356 | |
795 | |
646 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.