Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor II

Problem with deep inspection a some SSL checkers portal

Hi all,

 

I have observed that, when I enable deep inspection in proxy mode to protect my web servers, the SSL check of SSL check pages not pass. Obviously, I use the same certificate in Both cases. In browsers, I see perfectly the certificates.

On the other hand, I have some problems with DS in proxy mode but I prefer to use it cause it provides a more strong security than flow mode.

 

Why when I enable deep inspection in proxy mode, SSL check not pass in any website checker? I attach you some examples. With the same certificate in flow mode it works fine in all cases. 

 

Im using fortiIOS 7.2.7ds1.JPGds2.JPG

 

Thanks

7 REPLIES 7
johnathan
Staff
Staff

Are you able to see why it is not trusted? The screenshots don't give much info. 
https://www.ssllabs.com/ssltest/ should give you much more info, it's the one I use.

"Never trust a computer you can't throw out a window."
fortimaster

Hi Johnatan, for example:

"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider."

 

And as I said, the certificate uploaded to the deep inspection profile has the entire chain and it has not this problem in flow mode. The same SSL checker doesn't find errors. It is therefore a problem with the DS mode and not with the certificate. 

 

 

ebilcari

To not relay on public website you can also use the openssl from a linux box, with the following command:

openssl s_client -showcerts -connect yourdomain.com:443

It will print out the full chain and the content of the certificates so you can use the output to verify if there is a difference when the mode is changed from proxy to flow mode.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
fortimaster

I will try to do it and tell you know the results.

Thanks ¡¡¡

fortimaster

The inspection mode modify the uploaded certificate:

-In flow mode we can see all the chain (depth 0, 1, 2)

-In proxy mode we cannot see all the chain (depth 0) an that causes some errors.

 

It seems like a bug, I haven't read about differences whit proxy or flow mode when te firewall gives the certificate. In my opinion this is not correct.

 

I attach you both results, the first one is the flow mode:

 

flow.JPG

 

Now proxy mode (whe can see an error and only one cert):

proxy.JPG 

ezhupa

Hello fortimaster, 

 

Are you using some sort of VIP or VirtualServer to reach your webservers?
If that is the case can you share the VIP or Virtual Server config?
Also 7.2.8 was released today and there are some interesting bug fixes regarding VIP/Virtual Servers, so it would not be a bad idea to upgrade and test. 


fortimaster

Hi Ezupa, 

Yes, there are web servers and I use VIP to reach them.

vip.JPG

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors