Description
This article describes how to block invalid and revoked certificates and test on badssl site.
Solution
Under the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.
1) For https://revoked.badssl.com/
The page https://revoked.badssl.com/ is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.
The page https://revoked.badssl.com/ is revoked by the Certificate OCSP status check. FortiGate is not doing a strict CRL check, and it is not querying the certificate OCSP by default.
Enable the OCSP status check via the following config change:
# config vpn certificate setting2) For https://wrong.host.badssl.com/:
set ocsp-option certificate
set ocsp-status enable <-----
set strict-crl-check enable
set strict-ocsp-check enable
end
Below config is required to block invalid certificates:
# config firewall ssl-ssh-profile3) For https://pinning-test.badssl.com/:
edit "Block_Invalid"
# config https
set invalid-server-cert block <-----
set sni-server-cert-check strict <-----
end
Currently there is no plan to support Public-Key-Pins verification during SSL Inspection.
FortiGate administrators can manually block such websites using a WebFilter profile if needed.
Note:
Note:
- Blocking invalid and revoked certificates would work only upon using full inspection not certificate inspection on flow based policy.
-By design:
>>Flow mode + deep-inspection will block expired and revoked cert.
>>Flow mode + cert-inspection won't block expired and revoked cert.
Related article:
