Anyone using "secure" TLS, i.e. including check of CA issuer?
We're running an evaluation of FortiMail and I just can't get this to work. I'm trying to configure it for sending to gmail.com and I've downloaded their intermediate cert and the Geotrust root cert and created a TLS profile, but I keep getting "TLS certificate CA verify failed" in the logs. So, is anyone successfully using "Check CA Issuer"? Are there any other secrets to make it work other than the steps outlined in the documentation?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
i'm not using that, but I did see a lot of CA fail messages in my logs before I imported my CA certs for my local PKI. However, I still see the errors when dealing with outside connections.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
op, have you tried to pull the cert by manual process and check the CAissuer and cert chain?
openssl s_client -showcerts -verify depth -connect <mail-server:25>
PCNSE
NSE
StrongSwan
I had a similar problem with our FortiMail while running in trial mode. TLS would not work at all, even connection to our internal Exchange servers. Importing CA certificate would fail with a generic error message. When we got a license for it i was able to import certificates and TLS started working.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.