PSIRT Advisory

FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance

Summary

US-Cert published a document at https://www.us-cert.gov/ncas/alerts/TA17-075A which outlines some security flaws that may be introduced by the use of SSL Deep-Inspection. 

FortiOS was flagged as "potentially vulnerable" to some of these vulnerabilities by badssl.com under SSL Deep-Inspection Proxy Mode.

Impact

Improper Access Control

Affected Products

Under SSL Deep-Inspection Proxy Mode:

* https://sha1-intermediate.badssl.com
FortiOS 5.6.0, FortiOS 5.4.8 and below.

* https://revoked.badssl.com
FortiOS 5.6.0 and below.

* https://invalid-expected-sct.badssl.com
FortiOS 5.6.0 and below.

* https://pinning-test.badssl.com
FortiOS all versions.

Solutions

For SSL Deep-Inspection Proxy Mode:

* https://sha1-intermediate.badssl.com

Branch 5.6: Upgrade to FortiOS 5.6.1 or above
Branch 5.4: Upgrade to FortiOS 5.4.9 or above

* https://revoked.badssl.com

Upgrade to FortiOS 5.6.1 or above, and adjust the configuration via the following CLI commands, to enable the auto-checking of revoked certificates through OCSP:

config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option certificate
end

* https://invalid-expected-sct.badssl.com

Upgrade to FortiOS 5.6.1 or above.

* https://pinning-test.badssl.com

Currently there is no plan to support Public-Key-Pins verification during SSL Deep-Inspection. FortiGate administrators can manually block such websites using a webfilter profile if needed.

Revision:
2018-05-16 Initial version
2018-06-22 Emphasis advisory specific on SSL Deep-Inspection Proxy Mode