Verifying server certificate on SSL Inspection's "diagnose debug application fnbamd -1" does not show the certificate in my 5.2.6.
Additionally, Fortinet has wisely decided to remove "diagnose debug application ssl" and "diagnose test application sslworker" - it's no longer available in 5.2.6. "More is less".
So, how can I determine Original Server Certificate offered by origin-server?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Certificate information from "diagnose debug application fnbamd -1" can be seen only at the first time visiting the website.
Due to code improvement, sslworker has been removed. So does the debug command of it. Some debug functions are merged in "dia test application proxyworker".
500D_UP (global) # dia test application proxyworker Proxy Worker 0 - worker: pw 0:s Proxy Worker Test Usage pw 0:s pw 0:s 1: Dump Memory Usage pw 0:s 2: Dump vdom list pw 0:s 3: Display pid pw 0:s 4: Display stats for all protocols pw 0:s 13: Clear SSL exempt cache pw 0:s 14: Clear SSL bypass cache pw 0:s 42: Dump SSL exempt and bypass cache pw 0:s 43: Dump SSL session list pw 0:s 4444: Display per vdom stats for all protocols pw 0:s 5: Display debug log stats pw 0:s 6: Toggle Print Stat mode every ~40 seconds pw 0:s 88: Toggle statistic recording pw 0:s 94: Disable SO_LINGER pw 0:s 95: Enable SO_LINGER pw 0:s 96: Disable Nagle for SSL connections (default) pw 0:s 97: Enable Nagle for SSL connections pw 0:s 99: Restart proxy
> Certificate information from "diagnose debug application fnbamd -1" can be seen only at the first time visiting the website.
That is not what I see, observe:
On Fortigate:
FG60C (global) # diagnose debug application fnbamd -1 FG60C (global) # diagnose debug enable
On client:
$ curl -Ik https://www.mattel.com HTTP/1.1 503 Service Unavailable Content-Type: text/html Cache-Control: no-cache Content-Length: 770 X-Iinfo: 10-18487729-0 0NNN RT(1458015904641 9) q(0 -1 -1 1) r(0 -1) U5 Date: Tue, 15 Mar 2016 04:25:04 GMT Connection: keep-alive Set-Cookie: visid_incap_726338=3gUyqZR2Td2naIr6x0ts4qCO51YAAAAAQUIPAAAAAADc4zmhLi41wqAoQQCC4eTr; expires=Tue, 14 Mar 2017 17:05:25 GMT; path=/; Domain=.x.incapdns.net Set-Cookie: incap_ses_413_726338=NXPoBgXhujHReJH7pUW7BaCO51YAAAAAuyy+buCc4O66hqeirRYwgg==; path=/; Domain=.x.incapdns.net X-Robots-Tag: all
On Fortigate:
fnbamd_fsm.c[2145] handle_req-Rcvd auth_cert req id=671334420 fnbamd_auth.c[1328] check_cert-following cert chain depth 0 fnbamd_auth.c[1328] check_cert-following cert chain depth 1 fnbamd_auth.c[1608] cert_check_group_list-group list is null fnbamd_comm.c[169] fnbamd_comm_send_result-Sending result 0 for req 671334420
No server certificate shown!
Confirmed by Fortinet support that certificate information display (by logs or debug) is no longer possible.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.