DescriptionWhen using load balancing with SSL Offloading in a Virtual Server configuration (i.e. the server-type is https), the Fortigate sends empty fragments by default.
Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known.
Some older or buggy SSL implementations cannot properly handle empty fragments on the client side or the server side.
One of the side effects is that the client cannot upload large files to the Web Server through HTTPS.
ScopeFortiOS 4.0 and above
SolutionIt is possible to disable empty fragments in the Virtual Server configuration with the following CLI parameter :
config firewall vip
edit "your_HTTPS_VirtualServer"
set ssl-send-empty-frags disable
end