PSIRT Advisories

FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance

Summary

US-Cert published a document at https://www.us-cert.gov/ncas/alerts/TA17-075A which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection. 

FortiOS was flagged as "potentially vulnerable" to some of these vulnerabilities by badssl.com under SSL Deep-Inspection Proxy Mode.

Affected Products

* https://sha1-intermediate.badssl.com
FortiOS 5.6.0, FortiOS 5.4.8 and below.
* https://revoked.badssl.com
FortiOS 5.6.0 and below.
* https://invalid-expected-sct.badssl.com
FortiOS 5.6.0 and below.
* https://pinning-test.badssl.com
FortiOS all versions.

Solutions

* https://sha1-intermediate.badssl.com Branch 5.6: Upgrade to FortiOS 5.6.1 or above Branch 5.4: Upgrade to FortiOS 5.4.9 * https://revoked.badssl.com Upgrade to FortiOS 5.6.1 or above, and adjust the configuration via the following CLI commands, to enable the auto-checking of revoked certificates through OCSP: config vpn certificate setting set ocsp-status enable set ssl-ocsp-status enable set ssl-ocsp-option certificate end * https://invalid-expected-sct.badssl.com Upgrade to FortiOS 5.6.1 or above. * https://pinning-test.badssl.com Currently there is no plan to support Public-Key-Pins verification during SSL Deep-Inspection. FortiGate administrators can manually block such websites using a webfilter profile if needed.

References

• https://www.us-cert.gov/ncas/alerts/TA17-075A