FortiOS proxy mode SSL Deep Inspection badssl.com Compliance

Summary

US-Cert published a document at https://www.us-cert.gov/ncas/alerts/TA17-075A which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection.
FortiOS was flagged as "potentially vulnerable" to some of these vulnerabilities by badssl.com.

Affected Products

• https://sha1-intermediate.badssl.com
  FortiOS 5.6.0, FortiOS 5.4.8 and below.
  https://revoked.badssl.com
  FortiOS 5.6.0 and below.
  https://invalid-expected-sct.badssl.com
  FortiOS 5.6.0 and below.
  * https://pinning-test.badssl.com
  FortiOS all versions.

Solutions

• https://sha1-intermediate.badssl.com
  Branch 5.6: Upgrade to FortiOS 5.6.1 or above
  Branch 5.4: Upgrade to FortiOS 5.4.9
  https://revoked.badssl.com
  Upgrade to FortiOS 5.6.1 or above, and adjust the configuration via the following CLI commands, to enable the auto-checking of revoked certificates through OCSP:
  config vpn certificate setting
  set ocsp-status enable
  set ssl-ocsp-status enable
  set ssl-ocsp-option certificate
  end
  https://invalid-expected-sct.badssl.com
  Upgrade to FortiOS 5.6.1 or above.
  * https://pinning-test.badssl.com
  Currently there is no plan to support Public-Key-Pins verification during SSL Deep-Inspection. FortiGate administrators can manually block such websites using a webfilter profile if needed.

References

• https://www.us-cert.gov/ncas/alerts/TA17-075A
• https://www.cvedetails.com/cve/CVE-2005-4900/