I'm currently having issues connecting to Fortigate 80E using SSL VPN. v6.2.3
I currently have 2 root certificates on the appliance.
CA1 - OLD root Certificate
CA2 - New Root Certificate
User1 - CA1(old cert)
Subject - CN=username (matches the user cert CN subject on the device)
User2 - CA2(new cert)
Subject - CN=username(matches the user cert CN subject on the device)
Error in connection.
I recieve different errors when i connect - sometimes its more the certificate error but other times its the TLS error.
This was originally working but now fully doesnt work. If i switch the cert for the user back to the old root CA and matching subject then they can connect without issues.
ssl-max-proto-ver : tls1-3
ssl-min-proto-ver : tls1-1
Doing some debug on the appliance and trying to connect i managed to trace where the errors start comparing it to the working connection.
SSL state:SSLv3/TLS read client key exchange (Remote User IP)
SSL state:fatal decrypt error (Remote User IP)
SSL state:error:(null)(Remote User IP)
SSL_accept failed, 1:bad signature
Now first its been suggested that SSLv3 is disabled however i can't see how to do that on version 6.2 or above rather than setting the SSL min / max versions which are listed above. I have also ensured that all the TLS options within IE settings are selected when testing this out.
Ideally i need to get this sorted within the next couple of weeks as the users certs are expiring from the old root.
The cert is fully trusted by the device - these are issued out through SCEP
We also use this cert for Cisco AnyConnect which works without issue - one difference between these is AC doesn't require the subject mapped to the user, rather just that there is a user cert there that matches the root cert on the appliance.
We're using PKI users along with subject name from the issued certficate to the user as advised by Fortigate when we initially set up the device. The user then selects the cert within the Forticlient and it should connect. This works correctly for the old cert/root but not the new one.
Yes that I understand di you run any diag debug sslvpnd -1 and look at the user when he/she comes in? Also if you justy do a blind accept for that rootCA that signed the certificate, does the client access the vpn? So just ignore the CN string and see if certificate is accepted on verification.
Also where did you set the user peer up , within the auth-rule ? Follow this blog thread for examples
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.