PSIRT Advisory

FortiOS SSL Deep-Inspection Proxy Mode Compliance


US-Cert published a document at which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection. 

FortiOS was flagged as "potentially vulnerable" to some of these vulnerabilities by under SSL Deep-Inspection Proxy Mode.


Improper Access Control

Affected Products

Under SSL Deep-Inspection Proxy Mode:

FortiOS 5.6.0, FortiOS 5.4.8 and below.

FortiOS 5.6.0 and below.

FortiOS 5.6.0 and below.

FortiOS all versions.


For SSL Deep-Inspection Proxy Mode:


Branch 5.6: Upgrade to FortiOS 5.6.1 or above
Branch 5.4: Upgrade to FortiOS 5.4.9 or above


Upgrade to FortiOS 5.6.1 or above, and adjust the configuration via the following CLI commands, to enable the auto-checking of revoked certificates through OCSP:

config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option certificate


Upgrade to FortiOS 5.6.1 or above.


Currently there is no plan to support Public-Key-Pins verification during SSL Deep-Inspection. FortiGate administrators can manually block such websites using a webfilter profile if needed.

2018-05-16 Initial version
2018-06-22 Emphasis advisory specific on SSL Deep-Inspection Proxy Mode