I've tried to deal with tech support a few times but.....we don't seem to be on the same page.
Setup:
Fortiguard peforming full SSL/TLS inspection of web traffic traffic.
Does any sort of OCSP checking happen? If not, how come?
Thanks.
Tom
What exactly is your setup & reasoning for this question ?
Would that not be a required of the browser to initate the the cert validation or revocation method? I mean a browser could perform this via OCSP or CRL, but not both at the same time ( in general speaking ) but that would all pertain if the sever has a embed OCSP response in the certificate to begin with ( can't conduct a OCSP validation if none exist ).
In fact all modern browsers execute some means of OCSP validation, but not all CAs respond to OCSP ( e.g your inhouse CA chain might never use OCSP for these Domain Certs ).
So to answer your question, I believe a fortigate does NOT change the cert validation method presented by the client during SSL inspection but mainly passes any certification revocation means that's present from the browser. You can inspect the site certificate by exporting the web-browers lock and details certficate fields and validate if a OCSP is listed and the CRL distro points.
PCNSE
NSE
StrongSwan
Hi -
Thanks for the response. Your understanding of how OSCP works is correct - in a non FULL SSL/TLS inspection mode in that the web browser is responsible for the OSCP query. In the case for full SSL/TLS inpsection (ie. man in the middle) the Fortigate is actually the client responsible for doing all the security checks that is normally performed by the web browser ex.
is the presented server certificate valid and trusted?
- issued by a trusted CA;
- has the certificate been revoked? crl / OSCP checking
Does the web server use sufficient cipher/encryption strength?
- this is something the FG does not currently check, nor allow configuration of minimum values
Tom
How are you determining that?
I would be surprised if the fortigate is not conducting CRL or OCSP checks ( but than again, I've been surprised by FTNT laterly ; ) )
I'm just curious, if the client that originates the SSL session but disable the OCSP query will the fortigate act on his be-half and query regardless? ( see screenshot of a firefox browser adv settings )
I think maybe some type of diag debug app ( what I don't know ...maybe someone will chime in ), could shed light at the end of the tunnel. Or a packet capture from the fortigate and running it thru wireshark/tshark maybe for responses.
e.g
tshark -r 443.pcap -n -2 -R '(ocsp)' -T fields -e ocsp
tshark -i en5 -n -f 'port 443' -T fields -e ocsp
( just guessing here )
Let us know how far you go with this and what you find.
Ken
PCNSE
NSE
StrongSwan
Hello:
I ran tcpdump on the Internet facing interface of the switch - it sees all inbound and outbound Internet traffic. No OSCP requests whatsoever.
Fortinet ticket number: 1481242
My SE says "This appears to be a bug. But they are still researching the issue."
Tom
From Fortinet support:
"Currently, FGT does not support this feature. There is no option to check certificate validity against an OCSP server when using DPI(deep packet inspection)."
I've asked for this to be a feature request.
Tom
So this brings me back to the web-browser support ( OCSP/CRL ) and cert validation does the fortigate pass this request thru transparentlt ", my experience == different browsers & support certication to various degree IE vrs Firefox vrs Chrome vrs Safari ,etc....). So I guess the answer is No based on what support said.
I find it strange and a big disappointment to see even with SSL certificate inspection ( not full ) that fortigate doesn't really validate the certificate vocation lookup. It would be nice to at least try a query and have an option to allow or not-allow if the query does complete.
So any revoked cert could be pander off and a un-awared browser establishs a SSL/TLS connection to the site. Or am I missing something?
This like having a strong door lock and everybody has a copy of the key ;)
Ken
PCNSE
NSE
StrongSwan
emnoc -
I agree. I have multiple issues with the way the FG presents these options. For example (and this is directly from support)
1) If "ssl-ca-list" option is not enabled in SSL Inspection profile, only certificate expiration date is checked.
- so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted. - So, what exactly is this check doing to improve security????
I hate to say it, but the Palo Alto kicks but in this area. Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.
- so, by default, any certificate - privately issued or CA issued, with a valid expiration date, will be blindly accepted. - So, what exactly is this check doing to improve security????
and this;
I hate to say it, but the Palo Alto kicks but in this area. Granted its ridiculously expensive as compared to the FG but.....I think the FG presents a false sense of security.
All browser check the cert expiration date AFAIK ;) So the added security ( FTNT FGT ) is will Questionable ??????????s
This remind of my parent going out buying a 120usd door lock dollar but placing the key under the flower planter outside of the door.
PCNSE
NSE
StrongSwan
emnoc - totally agree. Would you please open up a support ticket / feature request or contact your local SE? I would like to have everyone pushing to add these features as soon as possible.
Thanks,.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.