FortiOS 6.0.14, using ssl inspection.
Lately, browsing to microsoft.com or www.microsoft.com fails. Firefox throws error PR_END_OF_FILE_ERROR, Chrome ERR_CONNECTION_CLOSED.No such problems with other subdomains like teams.microsoft.com.
I guess it's a configuration error on their side. They use akamai as CDN. I see quite some differences in supportes protocols and ciphers between microsoft.com (https://www.ssllabs.com/ssltest/analyze.html?d=microsoft.com&s=18.104.22.168&hideResults=on) and the particular akamai I landed on (https://www.ssllabs.com/ssltest/analyze.html?d=e13678.dscb.akamaiedge.net&s=22.214.171.124) .
Putting microsoft.com in the exemption list voor ssl inspection, resolves this issue obviously. But I'm not planning on implementing this kind of broad exeptions.
So, simple question: anyone else seeing this ?
I had a similar issue but not on microsoft.com with FortiOS 6.2.8 and 6.4.7.
As you, I used the SSL deep inspection and I added a lot of exempts for a workaround.
Recently, after reading the 6.4.8 release notes I saw the bug ID 750551 DST_Root_CA_X3 certificate is expired.
I upgraded in 6.4.8 and the issue was solved. I removed the added exempts.
I am really not sure this certificate is used by Microsoft. It is particularly by Let's Encrypt.
You already use the last version in 6.0 branch but nothing related to this bug on the release notes.
Thank you. I don't think it's related.
At the time of writing, microsoft.com resolved to an IP on akamai. That one served a very nasty certificate (this one: https://www.ssllabs.com/ssltest/analyze.html?d=e13678.dscb.akamaiedge.net&s=126.96.36.199&ignoreMisma...).
That was probably the reason for all alarms going off (as in: certificate is really bad, block it !)
microsoft.com resolves to somewhere else now and all is fine.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.