Hi,
We are using theXS Mapping Sheets Google Apps plugin which used to work fine until tuesday 16th of august.
Since then, wen we try to connect, we get an SSL error.
Using openssl: here is what we get :
openssl s_client -connect thexs-mapping.firebaseapp.com:443
CONNECTED(00000003)
139984351467176:error:14077419:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert access denied:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 290 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
Our web connexion is using a Fortinet 100D installed on the begining of july.
- If I try this app not using the Fortigate unit (we also have an old Netgear), it works fine.
- Qualys SSL test shows a score of A+ for this domain.
- If I disable SSL inspection (check certificate only, no full inspection) on the LAN to WAN policy, the site works fine.
- We don't block anything on our Fortigate for web, app and ssl inspection.
- I can't find any special event in the Fortigate saying that this site is blocked (in attachment is an event corresponding to the problem)
Do you have any idea on how to solve this problem ? Ididn't find a way to bypass SSL inspection for specific domains.
Thank you for your help,
Regards,
Fred
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you try various TLS versions?
e.g
curl -L -v -k https://x.x.x.x. --tlsv1.1 ( or 1.2 or 1.0 or even worse --sslv3 )
Did you run the cli diag debug flow and see what's the report function and error message(s)?
I bet the 1st part will give you a clue if it's tls version related
PCNSE
NSE
StrongSwan
It seems to be known problem between Fortigate and Firebaseapp :
https://plus.google.com/105602211126311947973/posts/D7AErM5yhQv
According to this post, it's due to the fact that the certificate has too many SANs.
Bu the way, I forgot to mention that my Fortigate 100D has 5.2.8 firmware.
The solution to enable "inspect all ports" solved the problem has stated in the attached post.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.