SSL/SSH Inspection - Allow Invalid SSL Certificate Option

FatalHalt · ‎04-15-2016

Hey guys, probably a dumb question: When configuring an SSL/SSH Inspection profile, what exactly does the setting 'Allow Invalid SSL Certificate' do?

I've made some test profiles both with and without this setting checked, and it's not blocking sites which have 'untrusted' certificates (using https://badssl.com as tests). I'm wondering if it's supposed to be blocking like 'corrupted' certificates?

Can anyone shed some light?

JohnAgora · ‎04-15-2016

"When certificate inspection is used, the FortiGate only inspects the header information of the packets.

Certificate inspection is used to verify the identity of web servers and can be used to make sure that HTTPS protocol isn’t used as a workaround to access sites you have blocked using web filtering."

Source: http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/

I understand that is when an SSL is invalid (host doesn't match, etc.) if it should allow it or not.

By the way, in your testing profiles what action you have?

Cheers!

emnoc · ‎04-15-2016

My own testing has shown that revoked certs, small keysize, invalid Certs are always passed thru. I don't believe that the fortigate will block meerly on invalid certificate checks.

PCNSE

NSE

StrongSwan

SSL/SSH Inspection - Allow Invalid SSL Certificate Option

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website