Hi -

Thanks for the response.  Your understanding of how OSCP works is correct - in a non FULL SSL/TLS inspection mode in that the web browser is responsible for the OSCP query.  In the case for full SSL/TLS inpsection (ie.  man in the middle) the Fortigate is actually the client responsible for doing all the security checks that is normally performed by the web browser ex. 

is the presented server certificate valid and trusted?

  - issued by a trusted CA; 

 - has the certificate been revoked?  crl / OSCP checking

Does the web server use sufficient cipher/encryption strength?

- this is something the FG does not currently check, nor allow configuration of minimum values

Tom

How are you determining that?

I would be surprised if  the fortigate is not  conducting CRL or OCSP checks ( but than again, I've been surprised by FTNT laterly ; ) )

I'm just curious,  if  the client  that originates the  SSL session but disable the OCSP query will the fortigate act on his be-half and query regardless? ( see screenshot of a firefox browser adv settings )

I think maybe some type of diag debug app ( what I don't know ...maybe someone will chime in ),  could shed light at the end of the tunnel. Or a packet capture from the fortigate and running it thru wireshark/tshark maybe for responses.

e.g

tshark -r 443.pcap -n -2 -R '(ocsp)' -T fields -e ocsp

tshark -i en5 -n  -f 'port 443'  -T fields -e ocsp

( just guessing  here )

Let us know how far you go with this and what you find.

Ken

Hello:

I ran tcpdump on the Internet facing interface of the switch - it sees all inbound and outbound Internet traffic.  No OSCP requests whatsoever.

Fortinet ticket number:  1481242

My SE says "This appears to be a bug.  But they are still researching the issue."

Tom

From Fortinet support:

"Currently, FGT does not support this feature. There is no option to check certificate validity against an OCSP server when using DPI(deep packet inspection)."

I've asked for this to be a feature request.

Tom

So this brings me back to the web-browser support ( OCSP/CRL ) and cert validation does the  fortigate pass this request thru transparentlt ", my experience == different browsers &  support certication to  various degree IE vrs Firefox vrs Chrome vrs Safari ,etc....). So I guess the answer is No based on what support said.

I find it strange and a big disappointment to see even with SSL certificate inspection ( not full ) that fortigate doesn't really validate the certificate  vocation lookup. It would be nice to at least try a query and have an option to allow or not-allow if the query does complete.

So any revoked cert could be pander off and a un-awared browser establishs a SSL/TLS connection to  the site. Or am I missing something?

This like  having a  strong door lock and everybody has a copy of the key ;)

Ken

emnoc -

I agree.  I have multiple issues with the way the FG presents these options.  For example (and this is directly from support)

1) If "ssl-ca-list" option is not enabled in SSL Inspection profile, only certificate expiration date is checked.

- so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted.  - So, what exactly is this check doing to improve security????

I hate to say it, but the Palo Alto kicks but in this area.  Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.

- so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted.  - So, what exactly is this check doing to improve security????  

and this;

I hate to say it, but the Palo Alto kicks but in this area.  Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.

All browser check the cert expiration date AFAIK ;)  So the added security ( FTNT FGT )  is will Questionable ??????????s

This remind of my parent going out buying a 120usd door lock dollar but placing the key under the flower planter outside of the door.