Hi All
I've enabled load balancing on my Fortigate (running 5.2.2 642) and setup virtual servers / real servers for HTTPS, with SSL offloading and a trusted public certificate.
The certificate I've imported works well for on a web server normally.
However, Firefox cannot connect to a website behind the load balanced virtual server with an error "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."
My understanding is this is because of the ciphers being used.
Firefox tells me the site HTTPS session is using "TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.1".
When this certificate is used with a direct connection to IIS, it uses "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.2".
Am I on the right track with what the problem is here?I can't seem to find how to change teh cipher etc being used. Can anyone guide me in the right direction?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I doubt that's the issue ( ciphers )
What version on firefox?
If the SSL offload is removed & applied to the server directly, does the error continue?
Is this error only seen with firefox clients?
& are we 100% sure the certificated imported is correct ( server-crt + private-key )?
PCNSE
NSE
StrongSwan
If I set the Fortigate Web UI to use the same certificate that I've imported, connectivity to it works fine. Firefox shows the connection details as using TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.2.
My real server (10.101.1.2) on port 443 responds correctly on that IP/Port with the Certificate.
If I configure a straight TCP virtual server for port 443 to the same IP/PORT as a real server, I get the same error discussed before.
We're using Firefox v 37.0.2.
If we try to access the virtual server using internet explorer the following error is shown:
"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://abc.abc.abc.abc again. If this error persists, contact your site administrator."
If Internet explorer shows an error too, then something is wrong with your setup.
post your VIP CLI config.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
maybe this will help you
Fortigate SSL Inspection - Load Balancer with ICMP http://www.paulscomputers...les/article.php?ID=300
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Can you post the URL that you are trying to access from Firefox?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1690 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.