Hi all,
I have a Fortigate 90D with Web filter and SSL Inspection enabled.
I can't reach https://www.giustizia.it: with Chrome I receive "ERR_CONNECTION_CLOSED", with Firefox instead "Cannot create secure connection".
If I turn off SSL Inspection I can navigate to the site; I have tried to add an exception in web filter's rules (wildcard, simple, exempt, allow...) but with no luck.
How I can solve this issue?
Thanks in advance
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Jack_T wrote:Hi, I have not exempts under SSL inspections options, maybe I have an old version of fortiOS? Thanks! :)
Exactly, this is available since FortiOS 5.2.
If you don't want problems just follow the Upgrade Path available in the release notes (available at the version folder in support.fortinet.com). In that case you won't lose any configuration.
Regards.
I highly doubt HSTS is the issue. What you could do is run a non browser http tool like curl or ab and see what happens.
As far as a browser caching a "site" certificate, I never heard of that and that would break every concept of the PKI. Think about it, the client still sends a hello, the server still send the certificate which has all of the goodies ( serial#, cry details, public-key, issuer,etc....)
Now back to the earlier, what does your off browser diagnostic shows ( curl, gnutls,openssl,...) what's in the cert-chain, are the certificate trusted ?
I like using guntls-cli since it display all certificates in the path and provides the final trust outcome.
e.g
macintosh:~ kfelix$ gnutls-cli www.wwt.com
Processed 214 CA certificate(s).
Resolving 'www.wwt.com'...
Connecting to '198.200.139.195:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `C=US,ST=Missouri,L=Maryland Heights,O=World Wide Technology Holding Co.\, Inc.,OU=IT Operations,CN=*.wwt.com', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-02-10 00:00:00 UTC', expires `2017-05-11 23:59:59 UTC', SHA-1 fingerprint `c76d3b32cc494bef2f4950740ff94fb6e17e8fe9'
Public Key ID:
a8931554e42f5be923b093c0695a79f03e3e863e
Public key's random art:
+--[ RSA 2048]----+
| .oo |
| . . |
| . . . |
| . = o . . |
| B * S + |
| + B + = |
| . +.* o o |
| Eooo . . |
| ..o.. |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=GeoTrust Inc.,CN=GeoTrust SSL CA - G3', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2013-11-05 21:36:50 UTC', expires `2022-05-20 21:36:50 UTC', SHA-1 fingerprint `5aeaee3f7f2a9449cebafeec68fdd184f20124a7'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID: 92:C8:94:E2:E6:0D:09:C6:7B:90:00:24:4F:55:B0:4D:4A:B9:94:C1:60:DA:70:E6:98:2C:D0:AC:1E:E5:00:5F
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
vrs a error
- Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
This will eliminate any funky thing with a browser and it's trust or policy, cache,etc.......
Use something like ( gnu-tbs ) and follow the evidence, if you want to eliminate the FGT, set a fwpolicy b4 and to the site(s) in question and before and SSL intercept fwpolicy
Don't make assumptions, don't assume ,and follow the evidence.
;)
ken
PCNSE
NSE
StrongSwan
Don't know about window but do some google search. On curl and SSL inspection, run curl in verbose mode and see what certs are shown
e.g
Macintosh:~ kfelix$ curl -v -k [link]https://www.giustizia.it:443[/link]
* Rebuilt URL to: [link]https://www.giustizia.it:443/[/link]
* Trying 193.109.206.10...
* Connected to www.giustizia.it (193.109.206.10) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: *.giustizia.it
* Server certificate: GeoTrust SSL CA - G3
* Server certificate: GeoTrust Global CA
> GET / HTTP/1.1
> Host: www.giustizia.it
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sun, 18 Sep 2016 03:40:42 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Keep-Alive: timeout=20
< Location: [link]https://www.giustizia.it/giustizia[/link]
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=31536000; includeSubDomains
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host www.giustizia.it left intact
Guntls provide more details and the certificate in the chain. if your inspecting MiTM, the ssl-proxy cert should be present and trusted.
PCNSE
NSE
StrongSwan
hello,
turn scan all port for deep inspection, but not only 443. (And for certificate inspection too if you use it)
that works for me.
Ok, now the output is this:
D:\curl>curl.exe -v -k [link]https://www.giustizia.it[/link] * Rebuilt URL to: [link]https://www.giustizia.it/[/link] * Adding handle: conn: 0xc343d0 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0xc343d0) send_pipe: 1, recv_pipe: 0 * About to connect() to www.giustizia.it port 443 (#0) * Trying 193.109.206.10... * Connected to www.giustizia.it (193.109.206.10) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to www.giustizia.it:443 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to www.giustizia.it:443
I remembered that we have a mac, so toworrow I give you the output of gnutls. Thanks for now!
Hi emnoc,
I found gnutls for windows, I ran it and this is the output:
Resolving 'www.giustizia.it'... Connecting to '193.109.206.10:443'... *** Fatal error: The TLS connection was non-properly terminated. *** Handshake has failed GnuTLS error: The TLS connection was non-properly terminated.
Okay
cli cmd diag debug flow ( are you matching a policy with ssl inspection ) if yes? , than set a new policy with a fqdn for the website b4 the ssl-inspection and retest.
Does your connection pass? If yes, than inspect your ssl-inspection setup and what your doing with regards to ssl-inspection.
Ensure the client has the correct certificate in a trust store.
PCNSE
NSE
StrongSwan
hello,
turn scan all port for deep inspection, but not only 443. (And for certificate inspection too if you use it)
that works for me.
Thumbs up
emnoc wrote:This is a ssl issues and web filter rule is not going to make a difference
"Cannot create secure connection"
Qs: Do you have the certificate from the ssl-proxy accepted in the client?
Q: Does a MSIE or Safari browser exhibits the same issue?
Q:what fortiOS version
You can't just enable SSL inspection without understanding what's happening.
Hi, with IE I have the same issue. I have installed the Fortinet CA Proxy cert in windows through group policy and I have problems only with giustizia.it
FortiOS version is 5.0,build4459
Thanks!
i have the same problem, with others web
pmi.org, for example.
with skype too. gotomeeting, webex....
regards
There will be always issue with DEEP inspection. MiTM expect you have cert.
We try to implement this many time. Each time we have to fallback.
Nowadays software use own certificate. Pinned exactly to software and don't relay on PC local certificates.
What does it mean for Full deep inspection? You have to exclude this traffic from inspection. That what exactly Fortinet do. They add "skype" to exception.
But what is wrong with that? When new servers arrive, Skype servers (for example) you need to add it to exception manually or wait Fortinet to add them to one of category which is exception in your Deep inspection rules.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.