FortiOS proxy mode SSL Deep Inspection badssl.com Compliance

FortiOS proxy mode SSL Deep Inspection badssl.com Compliance Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-17-160 Final 1 1 2018-05-16T00:00:00 Current version 2018-05-16T00:00:00 2018-05-16T00:00:00 US-Cert published a document at https://www.us-cert.gov/ncas/alerts/TA17-075A which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection. FortiOS was flagged as "potentially vulnerable" to some of these vulnerabilities by badssl.com. Improper access control https://sha1-intermediate.badssl.comFortiOS 5.6.0, FortiOS 5.4.8 and below. https://revoked.badssl.comFortiOS 5.6.0 and below. https://invalid-expected-sct.badssl.comFortiOS 5.6.0 and below.* https://pinning-test.badssl.comFortiOS all versions. https://sha1-intermediate.badssl.comBranch 5.6: Upgrade to FortiOS 5.6.1 or aboveBranch 5.4: Upgrade to FortiOS 5.4.9 https://revoked.badssl.comUpgrade to FortiOS 5.6.1 or above, and adjust the configuration via the following CLI commands, to enable the auto-checking of revoked certificates through OCSP:config vpn certificate setting set ocsp-status enable set ssl-ocsp-status enable set ssl-ocsp-option certificateend https://invalid-expected-sct.badssl.comUpgrade to FortiOS 5.6.1 or above.* https://pinning-test.badssl.comCurrently there is no plan to support Public-Key-Pins verification during SSL Deep-Inspection. FortiGate administrators can manually block such websites using a webfilter profile if needed. https://fortiguard.fortinet.com/psirt/FG-IR-17-160 FortiOS proxy mode SSL Deep Inspection badssl.com Compliance https://www.us-cert.gov/ncas/alerts/TA17-075A https://www.us-cert.gov/ncas/alerts/TA17-075A https://www.cvedetails.com/cve/CVE-2005-4900/ https://www.cvedetails.com/cve/CVE-2005-4900/ FortiOS 5.6.0 FortiOS 5.4.8 FortiOS 5.4.5 FortiOS 5.4.0 FortiOS proxy mode SSL Deep Inspection badssl.com Compliance CVE-2005-4900 FortiOS-5.6.0 FortiOS-5.4.8 FortiOS-5.4.5 FortiOS-5.4.0 0 https://fortiguard.fortinet.com/psirt/FG-IR-17-160 FortiOS proxy mode SSL Deep Inspection badssl.com Compliance Reference> https://www.us-cert.gov/ncas/alerts/TA17-075A https://www.us-cert.gov/ncas/alerts/TA17-075A https://www.cvedetails.com/cve/CVE-2005-4900/ https://www.cvedetails.com/cve/CVE-2005-4900/