Created on 08-31-2021 02:49 AM Edited on 11-07-2022 11:04 PM By Anthony_E
Description
This article describes how to block invalid and revoked certificates and test on badssl site.
Solution
Under the SSL/SSH inspection profile, set 'Block' for 'invalid SSL certificates'.
# config vpn certificate setting2) For https://wrong.host.badssl.com/:
set ocsp-option certificate
set ocsp-status enable <-----
set strict-crl-check enable
set strict-ocsp-check enable
end
# config firewall ssl-ssh-profile3) For https://pinning-test.badssl.com/:
edit "Block_Invalid"
# config https
set invalid-server-cert block <-----
set sni-server-cert-check strict <-----
end
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.