FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lkanakala
Staff
Staff
Article Id 198293

Description

 

OCSP introduction and configuration in FortiOS.

Why is OCSP introduced?

[1] OCSP enables applications to determine the revocation status of digital certificates instead of (or as a supplement) checking a periodic CRL. OCSP client issues a status request to an OCSP responder and suspends acceptance of certificates in question until the responder provides a response.

Certificate Revocation Lists are cached lists that contain the validity of certificates. There can be a change in the validity of the certificate, however, the cached CRL would not have that information. OCSP avoids that problem by sending on-demand requests to an OCSP server to confirm a certificate’s validity.

Note: There are pros and cons in using OCSP instead of CRL which need to be weighed before enabling OCSP.

OCSP responses (Revocation status of a certificate):


1) Good - no certificate with the requested certificate serial number currently within its validity interval is revoked.

2) Revoked - the certificate has been revoked, either temporarily (the revocation reason is certificateHold) or permanently.

3) Unknown - the responder does not know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.

Solution

 

How to enable OCSP in FortiOS.

[2]FortiOS 6.2, 6.4.

 

# config vpn certificate setting
    set ocsp-status enable
    set ocsp-option {certificate | server}
end

 

[3]FortiOS 6.0.

 

# config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option {certificate | server} 
end

 

- Certificate: use the URL from the certificate.
- Server: use URL from configured OCSP server.

The client traffic which requires OCSP validation is expected to have SSL deep inspection enabled on the firewall policy.

Verifying the behavior of OCSP in FortiOS.


Debugs.

 

# diag de app fnbamd -1
Debug messages will be on for 30 minutes.
# diag de en
#
[2761] handle_req-Rcvd auth_cert req id=663797170, len=1050
[1213] __fnbamd_load_certs_from_req-2 cert(s) in req.
[1241] __fnbamd_build_cert_chain-2 cert(s) after re-org.
[3191] fnbamd_ca_chain_issuer_info-check local CA cache
[3243] fnbamd_ca_chain_build-check local CA cache
[1249] __fnbamd_build_cert_chain-3 cert(s) after local cache search.
[1250] __fnbamd_build_cert_chain-Chain is complete.
[817] __fnbamd_cert_verify-Following cert chain depth 0
[817] __fnbamd_cert_verify-Following cert chain depth 1
[886] __fnbamd_cert_verify-Trusted CA found: DigiCert_Global_Root_CA
[817] __fnbamd_cert_verify-Following cert chain depth 2
[1748] cert_check_group_list-checking group type 6 group name ''
[1881] fnbamd_auth_cert_check_status-res=4
[1851] fnbamd_cert_ocsp_init-Get OCSP setting from cert
[1822] get_cert_ocsp_responder-cert subject is C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = revoked.badssl.com
[1826] get_cert_ocsp_responder-cert issuer subject is C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
[333] fnbamd_ocsp_start-Created OCSP request
[168] ocsp_connect-Try url 1: host=ocsp.digicert.com port=80(http) path=/
[491] _fnbamd_ocsp_get_rsp-tcp connected
[522] _fnbamd_ocsp_get_rsp-Sent OCSP request
[1832] auth_cert_ocsp_result-ocsp result is 4, (0: http://ocsp.digicert.com)
[536] _fnbamd_ocsp_get_rsp-recv returned: 803
[1832] auth_cert_ocsp_result-ocsp result is 4, (0: http://ocsp.digicert.com)
[536] _fnbamd_ocsp_get_rsp-recv returned: 0
[595] _fnbamd_ocsp_get_rsp-Received OCSP response
warning: no nonce in OCSP response
OCSP status: revoked, reason=-1()

[644] _fnbamd_ocsp_get_rsp-Cert status REVOKED.
[1832] auth_cert_ocsp_result-ocsp result is 1, (0: http://ocsp.digicert.com)
[1674] auth_cert_success-Matched user name '', matched group name ''
[181] fnbamd_comm_send_result-Sending result 1 (error 13, nid 672) for req 663797170

 

Refer to the below image - the website 'revoked.badssl.com' uses a DigiCert certificate and FortiGate sends an OCSP request to 'http://ocsp.digicert.com' to know the certificate’s revocation status.
As the status returned is 'REVOKED', FortiGate presents 'Fortinet Untrusted CA' to the client.

 
Refer to the below image - 'http://ocsp.digicert.com', FortiGate fetches this URI from Certificate’s Extension field - 'Certificate Authority Information Access'.
  

(In the above example, https://www.ssl.com website is accessed without any SSL DPI enabled for displaying the original server certificate).
 
OSCP responder error and FGT debugs.
 
1. Unauthorized errors.
The response 'unauthorized' is returned in cases where the client is not authorized to make queries to this server.
 
In FortiGate, it will display the following debugs:
 
2023-02-09 09:39:50 [282] fnbamd_verify_ocsp_response-OCSP responder error: unauthorized (code 6)
2023-02-09 09:39:50 [251] __cert_ocsp_resp_verify-verify_ocsp_response returns 5 -1
 
In this case, the administration needs to verify OCSP server configuration and allow connection from the appropriate clients.
 
Other OSCP responder errors:
 
2. malformedRequest - Issue related to mismatch with OCSP server syntax.
 
3. internalError - indicates that the OCSP responder reached an inconsistent internal state. The query should be retried, potentially with another responder.
 
4. tryLater - indicates that the OSCP server is currently busy and unable to respond.
 
5. sigRequired - OSCP server requires the client to sign the request in order to construct a response.

Important options.
 
# config vpn certificate setting
    set strict-ocsp-check {enable | disable}
end
 
Enable or disable (by default) strict mode OCSP checking.
If strict checking is not enabled and an OCSP server responds with a cert status unknown, the certificate can be used, but a warning log message is written.
If strict checking is enabled then all authentication actions that use this certificate fail in addition to the warning message being written.

References.

[1] Section 2, RFC 6960 - https://tools.ietf.org/html/rfc6960.
[2] FortiOS 6.2, CLI reference -  https://docs.fortinet.com/document/fortigate/6.2.3/cli-reference/278620/vpn-certificate-setting.
[3] FortiOS 6.0, CLI reference - https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/124466/vpn-certificate-setting.
[4] FortiOS 6.4, CLI reference - https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/346620/vpn-certificate-setting.

Further reading.

- OCSP & CRL and Revoked SSL Certificates - https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm.
- CRL Validation, RFC5280 - https://tools.ietf.org/html/rfc5280#section-6.3.

 

Related Articles:

Technical Tip: FortiGate strict CRL check

Contributors