FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lkanakala
Staff
Staff

Description
OCSP introduction and configuration in FortiOS.

Why is OCSP introduced?

[1] OCSP enables applications to determine the revocation status of digital certificates instead of (or as a supplement) checking a periodic CRL. OCSP client issues a status request to an OCSP responder and suspends acceptance of certificates in question until the responder provides response.

Certificate Revocation Lists are cached lists which contain the validity of certificates. There can be a change in validity of the certificate, however, the cached CRL wouldn’t have that information. OCSP avoids that problem by sending on-demand requests to an OCSP server to confirm a certificate’s validity.

Note: There are pros and cons in using OCSP instead of CRL which need to be weighed before enabling OCSP.

OCSP responses (Revocation status of a certificate):


1) Good - no certificate with the requested certificate serial number currently within its   validity interval is revoked.

2) Revoked - the certificate has been revoked, either temporarily (the revocation reason is certificateHold) or permanently.

3) Unknown - the responder does not know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.

Solution
How to enable OCSP in FortiOS.

[2]FortiOS 6.2, 6.4.

# config vpn certificate setting
    set ocsp-status enable
    set ocsp-option {certificate | server}
end

[3]FortiOS 6.0.

# config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option {certificate | server} 
end

certificate: use URL from certificate.
Server: use URL from configured OCSP server.

The client traffic which requires OCSP validation is expected to have SSL deep inspection enabled on the firewall policy.

Verifying the behaviour of OCSP in FortiOS.



Debugs.

# diag de app fnbamd -1
Debug messages will be on for 30 minutes.
# diag de en
#
[2761] handle_req-Rcvd auth_cert req id=663797170, len=1050
[1213] __fnbamd_load_certs_from_req-2 cert(s) in req.
[1241] __fnbamd_build_cert_chain-2 cert(s) after re-org.
[3191] fnbamd_ca_chain_issuer_info-check local CA cache
[3243] fnbamd_ca_chain_build-check local CA cache
[1249] __fnbamd_build_cert_chain-3 cert(s) after local cache search.
[1250] __fnbamd_build_cert_chain-Chain is complete.
[817] __fnbamd_cert_verify-Following cert chain depth 0
[817] __fnbamd_cert_verify-Following cert chain depth 1
[886] __fnbamd_cert_verify-Trusted CA found: DigiCert_Global_Root_CA
[817] __fnbamd_cert_verify-Following cert chain depth 2
[1748] cert_check_group_list-checking group type 6 group name ''
[1881] fnbamd_auth_cert_check_status-res=4
[1851] fnbamd_cert_ocsp_init-Get OCSP setting from cert
[1822] get_cert_ocsp_responder-cert subject is C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = revoked.badssl.com
[1826] get_cert_ocsp_responder-cert issuer subject is C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
[333] fnbamd_ocsp_start-Created OCSP request
[168] ocsp_connect-Try url 1: host=ocsp.digicert.com port=80(http) path=/
[491] _fnbamd_ocsp_get_rsp-tcp connected
[522] _fnbamd_ocsp_get_rsp-Sent OCSP request
[1832] auth_cert_ocsp_result-ocsp result is 4, (0: http://ocsp.digicert.com)
[536] _fnbamd_ocsp_get_rsp-recv returned: 803
[1832] auth_cert_ocsp_result-ocsp result is 4, (0: http://ocsp.digicert.com)
[536] _fnbamd_ocsp_get_rsp-recv returned: 0
[595] _fnbamd_ocsp_get_rsp-Received OCSP response
warning: no nonce in OCSP response
OCSP status: revoked, reason=-1()

[644] _fnbamd_ocsp_get_rsp-Cert status REVOKED.
[1832] auth_cert_ocsp_result-ocsp result is 1, (0: http://ocsp.digicert.com)
[1674] auth_cert_success-Matched user name '', matched group name ''
[181] fnbamd_comm_send_result-Sending result 1 (error 13, nid 672) for req 663797170

Refer below image - the website 'revoked.badssl.com' uses a DigiCert certificate and the FortiGate sends an OCSP request to 'http://ocsp.digicert.com' to know the certificate’s revocation status.
As the status returned is 'REVOKED', FortiGate presents 'Fortinet Untrusted CA' to the client.



 
 
 
Refer below image - 'http://ocsp.digicert.com', FortiGate fetches this URI from Certificate’s Extension field - 'Certificate Authority Information Access'.
 
 

 
 
 

(In the above example, https://www.ssl.com website is accessed without any SSL DPI enabled for displaying original server certificate)

Important options.
# config vpn certificate setting
     set strict-ocsp-check {enable | disable}
 end
Enable or disable (by default) strict mode OCSP checking.
If strict checking is not enabled and an OCSP server responds with cert status unknown, the certificate can be used, but a warning log message is written.
If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.

References.

[1] Section 2, RFC 6960 - https://tools.ietf.org/html/rfc6960
[2] FortiOS 6.2, CLI reference -  https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/278620/vpn-certificate-setting
[3] FortiOS 6.0, CLI reference - https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/124466/vpn-certificate-setting
[4] FortiOS 6.4, CLI reference - https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/346620/vpn-certificate-setting

Further reading.

- OCSP & CRL and Revoked SSL Certificates - https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm
- CRL Validation, RFC5280 - https://tools.ietf.org/html/rfc5280#section-6.3


Internal Notes


Currently, the system can already do both CRL and OCSP checking.
If a configured CRL is matched with a certificate, it will be checked first; then do OCSP status checking if required.
However, dynamic CRL download is not applicable.
The CRL being checked have to be imported to the system config.


Related Articles

Technical Tip: FortiGate strict CRL check