Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hmarosevic
New Contributor

Forti Client SSL problem (dpkg: 7.2.3.0790, 7.4.0.1636; apt: latest)

Hello,

 

I have a problem with establishing SSL VPN connection and I had the same error in var/log/forticlient/sslvpn.log for few versions of forticlient (latest, this one i.e. 7.2.3.0790 and some other 7.4.x versions)

 

[sslvpn:DEBG] vpn_connection:307 SSL error: error:0308010C:digital envelope routines::unsupported

[sslvpn:EROR] vpn_connection:463 Failed parse PKCS#12 file
[sslvpn:EROR] vpn_connection:1528 Failed create SSL

 

I found this article https://community.fortinet.com/t5/FortiAnalyzer/Technical-Tip-How-to-verify-the-ciphers-used-in-a-PK... but i can not apply the suggested workaround since i can not import public an private part of the p12 separately in forticlient vpn ( the article explains similar problem for fortianalyzer)

 

I would isolate these errors as the most important, but i would like to mention another one appearing, also which is:

ns:203 Failed to open /etc/nm_resolv.forticlient.backup

I tried installation from repo and dpkg also.

 

The last one is using forticlient_7.2.3.0790_amd64.deb

version of OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

and OS version is Ubuntu "22.04.1 LTS (Jammy Jellyfish)"

 

My p12 file has same password for keystore and keypair (pwd policy is 22 alphanumeric characters) - although i am not sure that this affects this scenario in anyway

I would kindly ask for some support about this issue if possible.

P.S. I am interested in free version of forticlient, so if you see that this is not what i need, please recommend me the correct version

 

Thank you in advance!

Hristina

1 REPLY 1
AEK
SuperUser
SuperUser

Hello Hristina

If I understand well the tech tip you shared shows how to extract private key and cert and in the same time convert the cipher function to a non-deprecated one.

If FortiClient doesn't accept them separated then you should be able to re-merge them as they, I mean with supported cipher function, then use it in FCT.

The merge command should be something approximately like this:

openssl pkcs12 -export -out new.pfx -inkey priv.key -in cert.cer

Hope I'm not wrong.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors