Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FredMB
New Contributor

[Solved] Unable to access Fireabaseapp SSL website when ssl inspection is On

Hi,

We are using theXS Mapping Sheets Google Apps plugin which used to work fine until tuesday 16th of august.

Since then, wen we try to connect, we get an SSL error.

 

Using openssl: here is what we get : 

openssl s_client -connect thexs-mapping.firebaseapp.com:443
CONNECTED(00000003)
139984351467176:error:14077419:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert access denied:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 290 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Our web connexion is using a Fortinet 100D installed on the begining of july.

 

- If I try this app not using the Fortigate unit (we also have an old Netgear),  it works fine.

- Qualys SSL test shows a score of A+ for this domain.

- If I disable SSL inspection (check certificate only, no full inspection) on the LAN to WAN policy, the site works fine.

- We don't block anything on our Fortigate for web, app and ssl inspection.

- I can't find any special event in the Fortigate saying that this site is blocked (in attachment is an event corresponding to the problem)

 

Do you have any idea on how to solve this problem ? Ididn't find a way to bypass SSL inspection for specific domains.

 

Thank you for your help,

 

Regards,

 

Fred

 

3 REPLIES 3
emnoc
Esteemed Contributor III

Did  you try various TLS versions?

 

e.g

 

curl -L -v -k https://x.x.x.x. --tlsv1.1 ( or 1.2 or 1.0  or even worse --sslv3 )

 

Did you run the cli  diag debug flow and see what's the report function and error message(s)?

 

I bet the 1st part will give you a clue if it's tls version related

PCNSE 

NSE 

StrongSwan  

FredMB
New Contributor

It seems to be known problem between Fortigate and Firebaseapp : 

https://plus.google.com/105602211126311947973/posts/D7AErM5yhQv

 

According to this post, it's due to the fact that the certificate has too many SANs.

 

Bu the way, I forgot to mention that my Fortigate 100D has 5.2.8 firmware.

FredMB
New Contributor

The solution to enable "inspect all ports" solved the problem has stated in the attached post.

 

Top Kudoed Authors