Troubleshooting Tip: Windows 10/11 unable to connect to the SSL VPN using TLS 1.3 via FortiClient

Adryan_you · ‎09-18-2023

Description

This article describes how to solve the issue where Windows 10/11 is unable to connect to the SSL VPN using TLS 1.3 via Forticlient, although TLS 1.3 has been enabled in the Internet browser properties.

Scope

FortiClient, Windows 10/11.

Solution

FortiGate SSL VPN supports TLS 1.3. To connect to FortiGate SSL VPN using TLS 1.3, it is necessary to enable TLS 1.3 in Windows 10/11. Normally it is possible to enable it via the Internet browser properties:

In Windows computer, start the Run prompt (Win + R) and type 'inetcpl.cpl', then press the Enter key.
The Internet Properties window will be opened. Go to the Advanced section.
Under the security section, check the box TLS 1.3.
Apply the changes and restart the browser.

If the FortiClient still fails to connect to FortiGate SSL VPN using TLS 1.3 (Webmode is working fine), then it is necessary to check and edit the computer registry.

First, collect the FortiGate SSL VPN debug. From the debug it is possible to see that FortiClient is not able to initiate an SSL connection using TLS 1.3:

dia de dis

dia de reset

dia de app sslvpn -1

dia de enable

FortiGate SSL VPN Debug Output:

// Forticlient failed to connect //
[19293:root:2fc]allocSSLConn:307 sconn 0x7f0946f57a00 (0:root)
[19293:root:2fc]SSL state:before SSL initialization (10.47.4.151)
[19293:root:2fc]SSL state:before SSL initialization:DH lib(10.47.4.151)
[19293:root:2fc]SSL_accept failed, 5:(null)
[19293:root:2fc]Destroy sconn 0x7f0946f57a00, connSize=0. (root)

// Webmode can access using TLS 1.3 //
[19293:root:302]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 <<===
[19293:root:302]No client certificate
[19293:root:302]req: /remote/login
[19293:root:302]rmt_web_auth_info_parser_common:492 no session id in auth info
[19293:root:302]rmt_web_get_access_cache:841 invalid cache, ret=4103
[19293:root:302]User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.81 <<====

Next, check and edit the computer registry to enable TLS 1.3:

Go to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
If 'TLS 1.3' is not displaying as a child path under 'Protocols', create it. 'Right-click' 'Protocols', create 'new key', and name it 'TLS 1.3'.
Then create another new key under 'TLS 1.3', and name it 'Client'.
In the 'Client' section, create 2 DWORD (32-bit) values, name them 'DisabledByDefault' and 'Enabled' with default value 0.
For 'Enabled', change the value to '1'.
Final Look at the registry:
Apply the changes and close the registry editor window.
Restart the computer.

After restarting the computer, the FortiClient can connect to the FortiGate SSL VPN using TLS 1.3. SSL VPN debug on FortiGate:

[19293:root:31d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384 <-
[19293:root:31d]req: /remote/login
[19293:root:31d]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}]) <-

[19293:root:31d]sslvpn_authenticate_user:183 authenticate user: [local] <-
[19293:root:31d][fam_auth_send_req_internal:652] The user local is authenticated.
[19293:root:31d]fam_do_cb:665 fnbamd return auth success.