- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssl vpn certificate authentication
hello Experts',
We currently using forti-os 7.2.7 firmware version, ssl vpn client certificate authentication not happening
Before we used 7.0.14 version ssl vpn client certificate auth worked as expected, after upgraded to 7.2.7 its not working
Any one faced this kind of issue.? share your thoughts on this issue
- Labels:
-
FortiClient
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Sanju
Can you run the below commands and reproduce the error.
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable
Once done please share the output.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Besides and for other security reasons (not related with your issue), I recommend to update to 7.2.8 as your 7.2.7 has multiple known vulnerabilities.
Bug IDCVE references
940665 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
952029 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
956553 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
964415 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
966706 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
966721 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
985990 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
Ref: https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/289806
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
Same issue we are also facing while upgraded from 7.0.14 to 7.2.8
Please find the attached logs
# [347:root:2563]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root
[347:root:2563]SSL state:before SSL initialization (106.198.80.63)
[347:root:2563]SSL state:fatal decode error (106.198.80.63)
[347:root:2563]SSL state:error:(null)(106.198.80.63)
[347:root:2563]SSL_accept failed, 1:unexpected eof while reading
[347:root:2563]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[344:root:2566]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[344:root:2566]SSL state:before SSL initialization (106.198.80.63)
[344:root:2566]SSL state:before SSL initialization (106.198.80.63)
[344:root:2566]got SNI server name: vpnchn.clubmahindra.com realm (null)
[344:root:2566]client cert requirement: yes
[344:root:2566]SSL state:fatal handshake failure (106.198.80.63)
[344:root:2566]SSL state:error:(null)(106.198.80.63)
[344:root:2566]SSL_accept failed, 1:no suitable signature algorithm
[344:root:2566]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[346:root:2567]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[346:root:2567]SSL state:before SSL initialization (106.198.80.63)
[346:root:2567]SSL state:before SSL initialization (106.198.80.63)
[346:root:2567]got SNI server name: vpnchn.clubmahindra.com realm (null)
[346:root:2567]client cert requirement: yes
[346:root:2567]SSL state:fatal handshake failure (106.198.80.63)
[346:root:2567]SSL state:error:(null)(106.198.80.63)
[346:root:2567]SSL_accept failed, 1:no shared cipher
[346:root:2567]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[347:root:2566]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[347:root:2566]SSL state:before SSL initialization (106.198.80.63)
[347:root:2566]SSL state:before SSL initialization (106.198.80.63)
[347:root:2566]got SNI server name: vpnchn.clubmahindra.com realm (null)
[347:root:2566]client cert requirement: yes
[347:root:2566]SSL state:fatal handshake failure (106.198.80.63)
[347:root:2566]SSL state:error:(null)(106.198.80.63)
[347:root:2566]SSL_accept failed, 1:no suitable signature algorithm
[347:root:2566]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[348:root:2565]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[348:root:2565]SSL state:before SSL initialization (106.198.80.63)
[348:root:2565]SSL state:before SSL initialization (106.198.80.63)
[348:root:2565]got SNI server name: vpnchn.clubmahindra.com realm (null)
[348:root:2565]client cert requirement: yes
[348:root:2565]SSL state:fatal handshake failure (106.198.80.63)
[348:root:2565]SSL state:error:(null)(106.198.80.63)
[348:root:2565]SSL_accept failed, 1:no shared cipher
[348:root:2565]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you fix it? if so - how?
I have same issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mikkel,
We have fixed it with the help of support team.
Kindly find the solution below :
On 7.0.14 we are using SHA 1 self signed authentication which is not working on 7.2.8.
So we have used SHA256 authentication in 7.2.8 post that the mentioned issue resolved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like you are totally right... Thanks for quick response! :)
Were you able to regenerate the same certificate just with SHA256 or did you just create a new one?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mikkel_olesen,
We cant able to regenerate the same certificate with SHA256. We have to create a new one.