FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-17-160
Final
1
1
2018-05-16T00:00:00
Current version
2018-05-16T00:00:00
2018-05-16T00:00:00
US-Cert published a document at https://www.us-cert.gov/ncas/alerts/TA17-075A which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection. FortiOS was flagged as "potentially vulnerable" to some of these vulnerabilities by badssl.com under SSL Deep-Inspection Proxy Mode.
Improper Access Control
* https://sha1-intermediate.badssl.comFortiOS 5.6.0, FortiOS 5.4.8 and below.* https://revoked.badssl.comFortiOS 5.6.0 and below.* https://invalid-expected-sct.badssl.comFortiOS 5.6.0 and below.* https://pinning-test.badssl.comFortiOS all versions.
* https://sha1-intermediate.badssl.com Branch 5.6: Upgrade to FortiOS 5.6.1 or above Branch 5.4: Upgrade to FortiOS 5.4.9 * https://revoked.badssl.com Upgrade to FortiOS 5.6.1 or above, and adjust the configuration via the following CLI commands, to enable the auto-checking of revoked certificates through OCSP: config vpn certificate setting set ocsp-status enable set ssl-ocsp-status enable set ssl-ocsp-option certificate end * https://invalid-expected-sct.badssl.com Upgrade to FortiOS 5.6.1 or above. * https://pinning-test.badssl.com Currently there is no plan to support Public-Key-Pins verification during SSL Deep-Inspection. FortiGate administrators can manually block such websites using a webfilter profile if needed.
https://fortiguard.fortinet.com/psirt/FG-IR-17-160
FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
https://www.us-cert.gov/ncas/alerts/TA17-075A
https://www.us-cert.gov/ncas/alerts/TA17-075A
FortiOS 5.6.0
FortiOS 5.4.8
FortiOS 5.4.5
FortiOS 5.4.0
FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
CVE-2005-4900
FortiOS-5.6.0
FortiOS-5.4.8
FortiOS-5.4.5
FortiOS-5.4.0
0
https://fortiguard.fortinet.com/psirt/FG-IR-17-160
FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
Reference>
https://www.us-cert.gov/ncas/alerts/TA17-075A
https://www.us-cert.gov/ncas/alerts/TA17-075A