I've tried to deal with tech support a few times but.....we don't seem to be on the same page.
Setup:
Fortiguard peforming full SSL/TLS inspection of web traffic traffic.
Does any sort of OCSP checking happen? If not, how come?
Thanks.
Tom
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Tom, I am not aware of any project that is handling OCSP implementation(with DPI) in future release. Please contact your SE for New Feature Request. Thanks and Regards, Fortinet TAC Engineer, Americas
This is no surprised, check https://www.grc.com/revocation/implementations.htm and the convergence extension YMMV. But this problem is seen across the board and in numerous OS/device where CRLs revoke is not checked.
Ken
PCNSE
NSE
StrongSwan
Revoked listed are unreliable imho and most are using OCSP or providing the details in the certificate for the CRL
Also keep in mind most CA revocation list could be 8-24hours stale and not updated. I would not trust CRL, OCSP is more better in the long run.
YMMV
http://socpuppet.blogspot.com/2017/06/ocsp-tool-to-check-certficates.html
PCNSE
NSE
StrongSwan
emnoc wrote:Revoked listed are unreliable imho and most are using OCSP or providing the details in the certificate for the CRL
Also keep in mind most CA revocation list could be 8-24hours stale and not updated. I would not trust CRL, OCSP is more better in the long run.
YMMV
http://socpuppet.blogspot.com/2017/06/ocsp-tool-to-check-certficates.html
Yes, OSCP is indeed a better choice as it is scalable.
However the reliability, could still be tricky, if the OCSP Server is using plain text protocol and the client could not validate the OCSP server's identity!
Also, in case of OCSP the client will establish an extra network connection (3-way TCP handshake etc.) outbound, this also could be an issue if there is a network congestion or if the OCSP server is offline etc.
FGT can be configured to use OCSP instead of CRL.
The CRL update interval could be configured or changed in the CLI.
[style="background-color: #ffffff;"][size="3"]#config vpn certificate crl[/size][/style]
Thanks & regards,
Prab
Just saw OCSP support commit has been merged after IPS engine 3.0535. It should be available in v3.0536 (not created yet).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.