hello Experts',
We currently using forti-os 7.2.7 firmware version, ssl vpn client certificate authentication not happening
Before we used 7.0.14 version ssl vpn client certificate auth worked as expected, after upgraded to 7.2.7 its not working
Any one faced this kind of issue.? share your thoughts on this issue
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Sanju
Can you run the below commands and reproduce the error.
diagnose debug application sslvpn -1
diagnose debug application fnbamd -1
diagnose debug enable
Once done please share the output.
Besides and for other security reasons (not related with your issue), I recommend to update to 7.2.8 as your 7.2.7 has multiple known vulnerabilities.
Bug IDCVE references
940665 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
952029 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
956553 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
964415 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
966706 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
966721 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
985990 | FortiOS 7.2.8 is no longer vulnerable to the following CVE Reference:
|
Ref: https://docs.fortinet.com/document/fortigate/7.2.8/fortios-release-notes/289806
Hi Team,
Same issue we are also facing while upgraded from 7.0.14 to 7.2.8
Please find the attached logs
# [347:root:2563]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root
[347:root:2563]SSL state:before SSL initialization (106.198.80.63)
[347:root:2563]SSL state:fatal decode error (106.198.80.63)
[347:root:2563]SSL state:error:(null)(106.198.80.63)
[347:root:2563]SSL_accept failed, 1:unexpected eof while reading
[347:root:2563]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[344:root:2566]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[344:root:2566]SSL state:before SSL initialization (106.198.80.63)
[344:root:2566]SSL state:before SSL initialization (106.198.80.63)
[344:root:2566]got SNI server name: vpnchn.clubmahindra.com realm (null)
[344:root:2566]client cert requirement: yes
[344:root:2566]SSL state:fatal handshake failure (106.198.80.63)
[344:root:2566]SSL state:error:(null)(106.198.80.63)
[344:root:2566]SSL_accept failed, 1:no suitable signature algorithm
[344:root:2566]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[346:root:2567]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[346:root:2567]SSL state:before SSL initialization (106.198.80.63)
[346:root:2567]SSL state:before SSL initialization (106.198.80.63)
[346:root:2567]got SNI server name: vpnchn.clubmahindra.com realm (null)
[346:root:2567]client cert requirement: yes
[346:root:2567]SSL state:fatal handshake failure (106.198.80.63)
[346:root:2567]SSL state:error:(null)(106.198.80.63)
[346:root:2567]SSL_accept failed, 1:no shared cipher
[346:root:2567]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[347:root:2566]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[347:root:2566]SSL state:before SSL initialization (106.198.80.63)
[347:root:2566]SSL state:before SSL initialization (106.198.80.63)
[347:root:2566]got SNI server name: vpnchn.clubmahindra.com realm (null)
[347:root:2566]client cert requirement: yes
[347:root:2566]SSL state:fatal handshake failure (106.198.80.63)
[347:root:2566]SSL state:error:(null)(106.198.80.63)
[347:root:2566]SSL_accept failed, 1:no suitable signature algorithm
[347:root:2566]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
[348:root:2565]allocSSLConn:310 sconn 0x7f26b8e55800 (0:root)
[348:root:2565]SSL state:before SSL initialization (106.198.80.63)
[348:root:2565]SSL state:before SSL initialization (106.198.80.63)
[348:root:2565]got SNI server name: vpnchn.clubmahindra.com realm (null)
[348:root:2565]client cert requirement: yes
[348:root:2565]SSL state:fatal handshake failure (106.198.80.63)
[348:root:2565]SSL state:error:(null)(106.198.80.63)
[348:root:2565]SSL_accept failed, 1:no shared cipher
[348:root:2565]Destroy sconn 0x7f26b8e55800, connSize=0. (root)
Did you fix it? if so - how?
I have same issue.
Hi Mikkel,
We have fixed it with the help of support team.
Kindly find the solution below :
On 7.0.14 we are using SHA 1 self signed authentication which is not working on 7.2.8.
So we have used SHA256 authentication in 7.2.8 post that the mentioned issue resolved.
Looks like you are totally right... Thanks for quick response! :)
Were you able to regenerate the same certificate just with SHA256 or did you just create a new one?
Hi mikkel_olesen,
We cant able to regenerate the same certificate with SHA256. We have to create a new one.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.