Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
netwrkr
New Contributor

SSL/TLS Full Inspection - OCSP checking

I've tried to deal with tech support a few times but.....we don't seem to be on the same page.

 

Setup:

 

Fortiguard peforming full SSL/TLS inspection of web traffic traffic.

 

Does any sort of OCSP checking happen?  If not, how come? 

 

Thanks.

Tom

15 REPLIES 15
netwrkr
New Contributor

Hello Tom, I am not aware of any project that is handling OCSP implementation(with DPI) in future release. Please contact your SE for New Feature Request. Thanks and Regards, Fortinet TAC Engineer, Americas

emnoc
Esteemed Contributor III

This is no surprised, check  https://www.grc.com/revocation/implementations.htm and the convergence extension YMMV. But this problem is seen across the board and in  numerous  OS/device where CRLs revoke is not checked.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Prab
New Contributor

Just for the reference, in 5.6.4 version following checks are performed:

 

 

 

 

emnoc
Esteemed Contributor III

Revoked listed are unreliable imho and most are  using OCSP or providing the details in the certificate for the CRL

 

Also keep in mind most  CA revocation list could be 8-24hours  stale and not updated. I would not trust CRL, OCSP is more better in the long run.

 

YMMV

 

http://socpuppet.blogspot.com/2017/06/ocsp-tool-to-check-certficates.html

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Prab
New Contributor

emnoc wrote:

Revoked listed are unreliable imho and most are  using OCSP or providing the details in the certificate for the CRL

 

Also keep in mind most  CA revocation list could be 8-24hours  stale and not updated. I would not trust CRL, OCSP is more better in the long run.

 

YMMV

 

http://socpuppet.blogspot.com/2017/06/ocsp-tool-to-check-certficates.html

 

 

Yes, OSCP is indeed a better choice as it is scalable.

However the reliability, could still be tricky, if the OCSP Server is using plain text protocol and the client could not validate the OCSP server's identity!

Also, in case of OCSP the client will establish an extra network connection (3-way TCP handshake etc.) outbound, this also could be an issue if there is a network congestion or if the OCSP server is offline etc.

 

FGT can be configured to use OCSP instead of CRL.

 

The CRL update interval could be configured or changed in the CLI.

[style="background-color: #ffffff;"][size="3"]#config vpn certificate crl[/size][/style]

 

Thanks & regards,

Prab

 

 

 

darwin_FTNT

Just saw OCSP support commit has been merged after IPS engine 3.0535.  It should be available in v3.0536 (not created yet).

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors