Description
Since FortiOS 5.0.3, when configured to not do HTTPS deep scan (no man in the middle) SSL inspection has been improved
Now, FortiOS checks also the
server name in the client Hello from the SSL negotiation. This is called SNI/CN method
(Server Name Inspection and Common Name)
FortiOS parses TLS server name indication (SNI) from TSL Client Hello. When
this value has been retrieved, it will be used for non-deep web
filtering inspection, in preference to the existing HTTPS Server CN web
filtering.
In details:
When Deep-Scan is disabled, URL filtering for HTTPS sessions should proceed as follows:
1. Extract the hostname from the "Server Name" extension in the "Client Hello" message of the TLS handshake.
2. If a valid hostname is found in step 1, use the hostname for local or FortiGuard category query.
3. If not, proceed with CN based web filtering query as implemented in previous versions
When configured for SNI/CN, the real HTTPS server certificate will be presented to the client for allowed URLs. The Fortigate certificate will be presented in the blocked pages replacement message, but the
fortigate does not do man in the middle.
Also, when "block-invalid-hostname" option is enabled in webfilter profile, if an invalid
hostname is found in the "Client Hello" server name value (certificate inspection mode only),
the request will be blocked and logged.
