Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
netwrkr
New Contributor

SSL/TLS Full Inspection - OCSP checking

I've tried to deal with tech support a few times but.....we don't seem to be on the same page.

 

Setup:

 

Fortiguard peforming full SSL/TLS inspection of web traffic traffic.

 

Does any sort of OCSP checking happen?  If not, how come? 

 

Thanks.

Tom

15 REPLIES 15
emnoc
Esteemed Contributor III

What exactly is your setup  & reasoning for this question ?

 

Would that not be a required of the browser to  initate  the the  cert validation or revocation  method? I mean a browser could perform this via OCSP or CRL, but not both at the same time ( in general speaking ) but that would all pertain if the sever has a embed  OCSP response in the certificate to begin with ( can't conduct a OCSP validation if none exist  ).

 

In fact all modern browsers execute some means of OCSP validation, but not all CAs respond to OCSP ( e.g your inhouse CA chain might never use OCSP  for these Domain Certs ).

 

So to answer your question, I believe a fortigate does NOT change the  cert validation method presented by the client during SSL inspection but mainly passes any certification revocation means that's present from the browser. You can inspect the site certificate by  exporting  the web-browers lock and  details certficate fields and validate if a OCSP  is listed and the CRL distro points.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
netwrkr
New Contributor

Hi -

 

Thanks for the response.  Your understanding of how OSCP works is correct - in a non FULL SSL/TLS inspection mode in that the web browser is responsible for the OSCP query.  In the case for full SSL/TLS inpsection (ie.  man in the middle) the Fortigate is actually the client responsible for doing all the security checks that is normally performed by the web browser ex. 

 

is the presented server certificate valid and trusted?

  - issued by a trusted CA; 

 - has the certificate been revoked?  crl / OSCP checking

 

Does the web server use sufficient cipher/encryption strength?

- this is something the FG does not currently check, nor allow configuration of minimum values

 

Tom

emnoc
Esteemed Contributor III

How are you determining that?

 

I would be surprised if  the fortigate is not  conducting CRL or OCSP checks ( but than again, I've been surprised by FTNT laterly ; ) )

 

I'm just curious,  if  the client  that originates the  SSL session but disable the OCSP query will the fortigate act on his be-half and query regardless? ( see screenshot of a firefox browser adv settings )

 

I think maybe some type of diag debug app ( what I don't know ...maybe someone will chime in ),  could shed light at the end of the tunnel. Or a packet capture from the fortigate and running it thru wireshark/tshark maybe for responses.

 

e.g

tshark -r 443.pcap -n -2 -R '(ocsp)' -T fields -e ocsp

tshark -i en5 -n  -f 'port 443'  -T fields -e ocsp

 

 

( just guessing  here )

 

Let us know how far you go with this and what you find.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
netwrkr
New Contributor

Hello:

 

I ran tcpdump on the Internet facing interface of the switch - it sees all inbound and outbound Internet traffic.  No OSCP requests whatsoever.

 

Fortinet ticket number:  1481242

 

My SE says "This appears to be a bug.  But they are still researching the issue."

Tom

 

netwrkr
New Contributor

From Fortinet support:

 

"Currently, FGT does not support this feature. There is no option to check certificate validity against an OCSP server when using DPI(deep packet inspection)."

 

 

I've asked for this to be a feature request.

 

Tom

emnoc
Esteemed Contributor III

So this brings me back to the web-browser support ( OCSP/CRL ) and cert validation does the  fortigate pass this request thru transparentlt ", my experience == different browsers &  support certication to  various degree IE vrs Firefox vrs Chrome vrs Safari ,etc....). So I guess the answer is No based on what support said.

 

I find it strange and a big disappointment to see even with SSL certificate inspection ( not full ) that fortigate doesn't really validate the certificate  vocation lookup. It would be nice to at least try a query and have an option to allow or not-allow if the query does complete.

 

So any revoked cert could be pander off and a un-awared browser establishs a SSL/TLS connection to  the site. Or am I missing something?

 

This like  having a  strong door lock and everybody has a copy of the key ;)

 

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
netwrkr
New Contributor

emnoc -

 

I agree.  I have multiple issues with the way the FG presents these options.  For example (and this is directly from support)

 

1) If "ssl-ca-list" option is not enabled in SSL Inspection profile, only certificate expiration date is checked.

 

- so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted.  - So, what exactly is this check doing to improve security????

 

I hate to say it, but the Palo Alto kicks but in this area.  Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.

 

emnoc
Esteemed Contributor III

- so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted.  - So, what exactly is this check doing to improve security????  

 

and this;

 

I hate to say it, but the Palo Alto kicks but in this area.  Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.

 

All browser check the cert expiration date AFAIK ;)  So the added security ( FTNT FGT )  is will Questionable ??????????s

 

This remind of my parent going out buying a 120usd door lock dollar but placing the key under the flower planter outside of the door.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
netwrkr
New Contributor

emnoc - totally agree.  Would you please open up a support ticket / feature request or contact your local SE?  I would like to have everyone pushing to add these features as soon as possible.

 

Thanks,.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors