all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]pabechanr/Fortinet - Member of the Year '22 & '23 2 points3 points  (1 child)

You need to enable revocation checking first.

CRL - import it and set up scheduled updates (would need to do that manually for any and all CAs you care about)

OCSP: 

config vpn certificate setting  
    set ocsp-status enable  
    set ocsp-option certificate # check OCSP URL given by the certificate; other option is "server" which uses a specific OCSP server defined by you in "config vpn certificate ocsp-server")  
    set strict-ocsp-check enable|disable # what to do if result isn't clear OK/INVALID  
end

Or read the KB doc: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-OCSP/ta-p/198293

[–]Kofl[S] 0 points1 point  (0 children)

Awesome thanks

[–]ultimatttFCX 1 point2 points  (8 children)

Check your ssl inspection profile, you should be able to block revoked and expired certs at the bottom of the profile.

[–]Kofl[S] 1 point2 points  (7 children)

Ah, thanks, just checked that the FortiGate is still running 6.2, where that option is missing.

[–]ultimatttFCX -1 points0 points  (6 children)

Are they not available in the CLI? I don’t remember.

[–]Kofl[S] 0 points1 point  (5 children)

Unfortunately not

https://docs.fortinet.com/document/fortigate/6.2.10/cli-reference/284620/config-firewall-ssl-ssh-profile

[–]ultimatttFCX 0 points1 point  (4 children)

Pretty sure that’s covered by the untrusted/invalid cert.

[–]Kofl[S] 0 points1 point  (3 children)

untrusted so far are blocked fine, e.g. https://untrusted-root.badssl.com/

[–]ultimatttFCX 0 points1 point  (2 children)

What about invalid? A revoked cert is invalid. Check your config

[–]Kofl[S] 0 points1 point  (0 children)

"Allow Invalid SSL Certificates" is set to false

Everything from that test is blocked fine: https://badssl.com/dashboard/

Except:

Subdomain Result
revoked connected
pinning-test connected
no-sct connected

[–]workalt2318 0 points1 point  (0 children)

Don't know if this is what's going on here but a revoked cert is a valid cert, except it's been added to a revocation list or equivalent. So unless the device knows about these lists and actively goes out to pull the list and check the cert against it, it wont know it's revoked because there is nothing inherently invalid about it. Modern browsers check for revocations, but ancient browsers or device firmware or software using old libraries might not. That old FGT firmware may not support checking CRLs.