Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Empty cookie error after server upgrade from 7.2.7 to 7.2.8 #1205

Closed
Milenco opened this issue Mar 19, 2024 · 10 comments
Closed

Empty cookie error after server upgrade from 7.2.7 to 7.2.8 #1205

Milenco opened this issue Mar 19, 2024 · 10 comments

Comments

@Milenco
Copy link

Milenco commented Mar 19, 2024

Yesterday I've upgraded our Fortinet firewall from FortiOS v7.2.7 to 7.2.8. Ever since, I can't login anymore using openfortivpn. This issue occurs on multiple hosts from multiple locations. Logging in via the Forticlient VPN client (on macOS) continues to keep working fine.

When logging in using the command openfortivpn example.com:10443 -u milenco -p mypassword --set-routes=1 --set-dns=1 --user-cert=/root/cert.pem --user-key=/root/cert.key --ca-file=/root/ca.pem -vvvv I get the following output:

WARN:   You should not pass the password on the command line. Type it interactively or use a configuration file instead.
DEBUG:  ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG:  openfortivpn 1.20.1
DEBUG:  revision unavailable
DEBUG:  Loaded configuration file "/etc/openfortivpn/config".
DEBUG:  Configuration host = "example.com"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "10443"
DEBUG:  Configuration username = "milenco"
DEBUG:  Configuration password = "mypassword"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 87380
DEBUG:  server_addr: 1.2.3.4
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: 1.2.3.4
DEBUG:  gateway_port: 10443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
DEBUG:  http_send:
POST /remote/logincheck HTTP/1.1
Host: example.com:10443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie:
Content-Length: 63

username=milenco&credential=mypassword&realm=&ajax=1
DEBUG:  http_receive:
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2024 10:00:22 GMT
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

5af
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">
<meta http-equiv="cache-control" content="no-store">
<title>SSL VPN Remote Access Web Portal</title>
<link href="/sslvpn/css/ssl_style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/remote/fgt_lang?lang=en"></script></head>
<body class="main">
<table class="container" cellpadding="0" cellspacing="0">
<tr>
<td><table class="dialog" width=300 align="center" cellpadding="0" cellspacing="0">
<tr>
<td><table class="header" cellpadding="0" cellspacing="0">
<tr>
<td id="err_title"></td>
</tr>
</table></td>
</tr>
<script>document.getElementById('err_title').innerHTML=fgt_lang['error'];</script>
<!--sslvpnerrmsg=Permission denied.-->
<tr>
<td class="body" height=100>
<table class="body"><tr></td></tr></table></td>
</tr>
<tr><td>
<table class="footer" cellpadding="0" cellspacing="0">
<tr><td>
<input id="ok_button" type="button" value="" onclick="chkbrowser()" style="width:80px">
</td></tr>
</table>
</td></tr>
</table>
</body>
<script language = "javascript">
document.getElementById('ok_button').value=fgt_lang['ok'];
function chkbrowser() {
if (window.location.pathname == "/remote/login")
window.location.reload();
else
window.location.href = "/remote/login";}
</script>
</html>

0


DEBUG:  Empty cookie.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG:  No cookie given (-7)
INFO:   Closed connection to gateway.
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 87380
DEBUG:  server_addr: 1.2.3.4
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: 1.2.3.4
DEBUG:  gateway_port: 10443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
DEBUG:  http_send:
GET /remote/logout HTTP/1.1
Host: example.com:10443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=
Content-Length: 0


DEBUG:  http_receive:
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2024 10:00:22 GMT
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Content-Length: 558
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

<!DOCTYPE html>
<html><head><script>function fgt_sslvpn_logout(sid) {var cookies = document.cookie.split(';');for (var c = 0; c < cookies.length; ++c) {var one_c = cookies[0];var cookie_key = one_c.split('=')[0];cookie_key.trim();if (cookie_key.search('_eff1a6b3') == null) {var base_name = cookie_key + '=; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=';document.cookie = base_name + '/';document.cookie = base_name + '/proxy/' + sid;}}window.location.href ='/remote/login';}</script></head><body><script>fgt_sslvpn_logout("00000000");</script></body></html>
INFO:   Logged out.

On the server-side I get this debug log (not sure if it's relevant):

[131] fnbamd_peer_ctx_free-Freeing peer ctx 'milenco'
[276:root:b6][fam_cert_proc_resp:1978] Authenticated groups (2) by FNBAM with auth_type (0):
[276:root:b6]fam_cert_proc_resp:1996 found node vpn_admins:0:, valid:1, auth:0
[276:root:b6]auth_rsp_data.matched_cert_grps[0] = vpn_admins
[276:root:b6]fam_cert_proc_resp:1996 found node vpn_users:0:, valid:1, auth:0
[276:root:b6]auth_rsp_data.matched_cert_grps[1] = vpn_users
[276:root:b6]fam_cert_proc_resp:2027 match rule (2), user (milenco:vpn_admins) portal (full-access).
[276:root:b6]__auth_cert_cb:913 certificate check OK.
[276:root:b6]sslvpn_authenticate_user:193 authenticate user: [milenco]
[276:root:b6]sslvpn_authenticate_user:211 create fam state
[276:root:b6][fam_auth_send_req_internal:429] Groups sent to FNBAM:
[276:root:b6]group_desc[0].grpname = vpn_admins
[276:root:b6]group_desc[1].grpname = vpn_users
[276:root:b6][fam_auth_send_req_internal:441] FNBAM opt = 0X300421
local auth is done with user 'milenco', ret=1
[276:root:b6]fam_auth_send_req_internal:517 fnbam_auth return: 1
[276:root:b6][fam_auth_send_req_internal:543] Authenticated groups (2) by FNBAM with auth_type (1):
[276:root:b6]Received: auth_rsp_data.grp_list[0] = 0
[276:root:b6]Received: auth_rsp_data.grp_list[1] = 0
[276:root:b6]fam_auth_send_req:1017 task finished with 1
[276:root:b6]login_failed:404 user[milenco],auth_type=1 failed [sslvpn_login_permission_denied]
[276:root:b6]Transfer-Encoding n/a
[276:root:b6]Content-Length 63
[276:root:b6]SSL state:warning close notify (4.3.2.1)
[276:root:b6]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[276:root:b6]Destroy sconn 0x547f7e00, connSize=0. (root)
[276:root:b6]SSL state:warning close notify (4.3.2.1)
[277:root:b6]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[277:root:b6]SSL state:before SSL initialization (4.3.2.1)
[277:root:b6]SSL state:before SSL initialization (4.3.2.1)
[277:root:b6]no SNI received
[277:root:b6]client cert requirement: yes
[277:root:b6]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:b6]no SNI received
[277:root:b6]client cert requirement: yes
[277:root:b6]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write finished (4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:b6]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS read finished (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:b6]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:b6]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[277:root:b6]req: /remote/logout
[277:root:b6]rmt_web_auth_info_parser_common:524 no session id in auth info
[277:root:b6]rmt_web_access_check:792 access failed, uri=[/remote/logout],ret=4103,
[277:root:b6]SSL state:fatal decode error (4.3.2.1)
[277:root:0]ap_read,105, error=1, errno=0 ssl 0x5417a000 Success. error:0A000126:SSL routines::unexpected eof while reading
[277:root:b6]sslvpn_read_request_common,684, ret=-1 error=-1, sconn=0x547f7e00.
[277:root:b6]Destroy sconn 0x547f7e00, connSize=0. (root)

I suspect something broke on openfortivpn's side after the FortiOS upgrade to 7.2.8, causing the Empty cookie. error, which seems to be the root cause of this issue.

Others with the same issue after 7.2.8 (or upgraded and have no issue)? Is there anything I can do to resolve this or help test?

@Milenco
Copy link
Author

Milenco commented Mar 19, 2024

Just noticed i was running an older version of openfortivpn. Tested it with the newest version (v1.21.0) but the issue remains:

WARN:   You should not pass the password on the command line. Type it interactively or use a configuration file instead.
DEBUG:  ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG:  openfortivpn 1.21.0
DEBUG:  revision unavailable
DEBUG:  Loaded configuration file "/etc/openfortivpn/config".
DEBUG:  Configuration host = "example.com"
DEBUG:  Configuration realm = ""
DEBUG:  Configuration port = "10443"
DEBUG:  Configuration username = "milenco"
DEBUG:  Configuration password = "mypassword"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 87380
DEBUG:  server_addr: 1.2.3.4
DEBUG:  server_port: 10443
DEBUG:  gateway_ip: 1.2.3.4
DEBUG:  gateway_port: 10443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
DEBUG:  http_send:
POST /remote/logincheck HTTP/1.1
Host: example.com:10443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie:
Content-Length: 63

username=milenco&credential=mypassword&realm=&ajax=1
DEBUG:  http_receive:
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2024 10:35:25 GMT
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

5af
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">
<meta http-equiv="cache-control" content="no-store">
<title>SSL VPN Remote Access Web Portal</title>
<link href="/sslvpn/css/ssl_style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/remote/fgt_lang?lang=en"></script></head>
<body class="main">
<table class="container" cellpadding="0" cellspacing="0">
<tr>
<td><table class="dialog" width=300 align="center" cellpadding="0" cellspacing="0">
<tr>
<td><table class="header" cellpadding="0" cellspacing="0">
<tr>
<td id="err_title"></td>
</tr>
</table></td>
</tr>
<script>document.getElementById('err_title').innerHTML=fgt_lang['error'];</script>
<!--sslvpnerrmsg=Permission denied.-->
<tr>
<td class="body" height=100>
<table class="body"><tr></td></tr></table></td>
</tr>
<tr><td>
<table class="footer" cellpadding="0" cellspacing="0">
<tr><td>
<input id="ok_button" type="button" value="" onclick="chkbrowser()" style="width:80px">
</td></tr>
</table>
</td></tr>
</table>
</body>
<script language = "javascript">
document.getElementById('ok_button').value=fgt_lang['ok'];
function chkbrowser() {
if (window.location.pathname == "/remote/login")
window.location.reload();
else
window.location.href = "/remote/login";}
</script>
</html>

0


DEBUG:  Empty cookie.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG:  No cookie given (-7)
INFO:   Closed connection to gateway.
DEBUG:  SO_KEEPALIVE: OFF
DEBUG:  TCP_KEEPIDLE: 7200
DEBUG:  TCP_KEEPINTVL: 75
DEBUG:  TCP_KEEPCNT: 9
DEBUG:  SO_SNDBUF: 16384
DEBUG:  SO_RCVBUF: 87380
DEBUG:  server_addr: 1.2.3.4
DEBUG:  server_port: 10443
DEBUG:  gateway_ip: 1.2.3.4
DEBUG:  gateway_port: 10443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG:  Setting minimum protocol version to: 0x303.
DEBUG:  Gateway certificate validation succeeded.
DEBUG:  http_send:
GET /remote/logout HTTP/1.1
Host: example.com:10443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=
Content-Length: 0


DEBUG:  http_receive:
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2024 10:35:25 GMT
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Content-Length: 558
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

<!DOCTYPE html>
<html><head><script>function fgt_sslvpn_logout(sid) {var cookies = document.cookie.split(';');for (var c = 0; c < cookies.length; ++c) {var one_c = cookies[0];var cookie_key = one_c.split('=')[0];cookie_key.trim();if (cookie_key.search('_eff1a6b3') == null) {var base_name = cookie_key + '=; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=';document.cookie = base_name + '/';document.cookie = base_name + '/proxy/' + sid;}}window.location.href ='/remote/login';}</script></head><body><script>fgt_sslvpn_logout("00000000");</script></body></html>├←]D/OM?7?ZT"Z   ؝
INFO:   L⎺±±␊␍ ⎺┤├↓
▒⎽␤↑4↓4#

@DimitriPapadopoulos
Copy link
Collaborator

The server might have moved to SAML with authentication is a web browser. See #867.

You can also give openconnect a try.

@Milenco
Copy link
Author

Milenco commented Mar 20, 2024

I did some more research and resolved my issue.

I login using the command openfortivpn example.com:10443 -u milenco -p mypassword --set-routes=1 --set-dns=1 --user-cert=/root/cert.pem --user-key=/root/cert.key --ca-file=/root/ca.pem. This seem to cause to take the route of authenticating via my username and password, while authentication actually takes place using my certificates. (In the official client I can fill in whatever I want at the username and password because it identifies me using the certificate).

When removing the username and password from the openfortivpn command I force it to authenticate using certificates. Now I can connect without any issue. My new command is openfortivpn example.com:10443 --set-routes=1 --set-dns=1 --user-cert=/root/cert.pem --user-key=/root/cert.key --ca-file=/root/ca.pem.

It seems the upgrade from FortiOS 7.2.7 to 7.2.8 reacts differently to sending both user/pass and certificates, causing this issue after our server upgrade.

@Milenco Milenco closed this as completed Mar 20, 2024
@DimitriPapadopoulos
Copy link
Collaborator

Thank you very much for the explanation.

I wonder whether there are cases where both the certificate and the username/password are required. Otherwise, we could force authentication with the certificate when or at least emit a warning if user/password are passed as arguments in addition to the user certificate.

@Milenco
Copy link
Author

Milenco commented Mar 20, 2024

For testing I've tried to login using the official Forticlient VPN client, using username 'foo' while authentication using my 'milenco' certificates. It seems the username gets fully ignored, no mentions of it in the logs on the firewall side:

velco-fw # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.

velco-fw # diagnose debug application samld -1

velco-fw #
velco-fw # diagnose debug enable

velco-fw # [275:root:1f0]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[275:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f0]no SNI received
[275:root:1f0]client cert requirement: yes
[275:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]no SNI received
[275:root:1f0]client cert requirement: yes
[275:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write finished (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS read finished (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[275:root:1f0]req: /remote/info
[275:root:1f0]capability flags: 0x1cdf
[275:root:1f0]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[275:root:1f0]Destroy sconn 0x547f7e00, connSize=0. (root)
[275:root:1f0]SSL state:warning close notify (4.3.2.1)
[276:root:1f0]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[276:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f0]got SNI server name: example.com realm (null)
[276:root:1f0]client cert requirement: yes
[276:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]got SNI server name: example.com realm (null)
[276:root:1f0]client cert requirement: yes
[276:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write finished (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS read finished (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[276:root:1f0]req: /remote/login
[276:root:1f0]rmt_web_auth_info_parser_common:524 no session id in auth info
[276:root:1f0]rmt_web_get_access_cache:873 invalid cache, ret=4103
[276:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[276:root:1f0]sslvpn_auth_check_usrgroup:3049 forming user/group list from policy.
[276:root:1f0]sslvpn_auth_check_usrgroup:3096 got user (0) group (0:2).
[276:root:1f0]sslvpn_validate_user_group_list:1939 validating with SSL VPN authentication rules (2), realm ().
[276:root:1f0]sslvpn_validate_user_group_list:2033 checking rule 1 cipher.
[276:root:1f0]sslvpn_validate_user_group_list:2041 checking rule 1 realm.
[276:root:1f0]sslvpn_validate_user_group_list:2052 checking rule 1 source intf.
[276:root:1f0]sslvpn_validate_user_group_list:2091 checking rule 1 vd source intf.
[276:root:1f0]sslvpn_validate_user_group_list:2590 rule 1 done, got user (0:0) group (0:0) peer group (1).
[276:root:1f0]sslvpn_validate_user_group_list:2033 checking rule 2 cipher.
[276:root:1f0]sslvpn_validate_user_group_list:2041 checking rule 2 realm.
[276:root:1f0]sslvpn_validate_user_group_list:2052 checking rule 2 source intf.
[276:root:1f0]sslvpn_validate_user_group_list:2590 rule 2 done, got user (0:0) group (0:0) peer group (2).
[276:root:1f0]sslvpn_validate_user_group_list:2598 got user (0:0) group (0:0) peer group (2).
[276:root:1f0]sslvpn_validate_user_group_list:2945 got user (0:0), group (0:0) peer group (2).
[276:root:1f0]fam_cert_send_req:1174 peer group 'vpn_admins' is sent for verification.
[276:root:1f0]fam_cert_send_req:1174 peer group 'vpn_users' is sent for verification.
[276:root:1f0]fam_cert_send_req:1180 doing authentication for 2 group(s).
[276:root:1f0][fam_cert_proc_resp:1978] Authenticated groups (2) by FNBAM with auth_type (0):
[276:root:1f0]fam_cert_proc_resp:1996 found node vpn_admins:0:, valid:1, auth:0
[276:root:1f0]auth_rsp_data.matched_cert_grps[0] = vpn_admins
[276:root:1f0]fam_cert_proc_resp:1996 found node vpn_users:0:, valid:1, auth:0
[276:root:1f0]auth_rsp_data.matched_cert_grps[1] = vpn_users
[276:root:1f0]fam_cert_proc_resp:2027 match rule (2), user (milenco:vpn_admins) portal (full-access).
[276:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[276:root:0]get tunnel link address4
[276:root:1f0]rmt_web_session_create:1029 create web session, idx[0]
[276:root:1f0]rmt_hcinstall_cb_handler:210 enter
[276:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[276:root:1f0]rmt_hcinstall_cb_handler:288 hostchk needed : 1.
[276:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f0]SSL state:warning close notify (4.3.2.1)
[276:root:1f0]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[276:root:1f0]Destroy sconn 0x547f7e00, connSize=1. (root)
[276:root:1f0]SSL state:warning close notify (4.3.2.1)
[277:root:1f0]allocSSLConn:310 sconn 0x547f8400 (0:root)
[277:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f0]got SNI server name: example.com realm (null)
[277:root:1f0]client cert requirement: yes
[277:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]got SNI server name: example.com realm (null)
[277:root:1f0]client cert requirement: yes
[277:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write finished (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS read finished (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[277:root:1f0]req: /remote/hostcheck_validate
[277:root:1f0]Transfer-Encoding n/a
[277:root:1f0]Content-Length 202
[277:root:1f0]readPostEnter:17 Post Data length 202.
[277:root:1f0]rmt_hcvalidate_cb_handler:327 enter
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[277:root:1f0]rmt_hcvalidate_cb_handler:379 hostchk needed : 1
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]host check result:3 0000,14.4.0,04:bf:1b:4d:c7:cc
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]Transfer-Encoding n/a
[277:root:1f0]Content-Length 202
[277:root:1f0]SSL state:warning close notify (4.3.2.1)
[277:root:1f0]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[277:root:1f0]Destroy sconn 0x547f8400, connSize=1. (root)
[277:root:1f0]SSL state:warning close notify (4.3.2.1)
[275:root:1f1]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[275:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f1]got SNI server name: example.com realm (null)
[275:root:1f1]client cert requirement: yes
[275:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]got SNI server name: example.com realm (null)
[275:root:1f1]client cert requirement: yes
[275:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write finished (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS read finished (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[275:root:1f1]req: /remote/fortisslvpn
[275:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[275:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[275:root:1f1]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[275:root:1f1]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[275:root:1f1]Destroy sconn 0x547f7e00, connSize=0. (root)
[275:root:1f1]SSL state:warning close notify (4.3.2.1)
[276:root:1f1]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[276:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f1]got SNI server name: example.com realm (null)
[276:root:1f1]client cert requirement: yes
[276:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]got SNI server name: example.com realm (null)
[276:root:1f1]client cert requirement: yes
[276:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write finished (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS read finished (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[276:root:1f1]req: /remote/fortisslvpn_xml
[276:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f1]sslvpn_reserve_dynip:1544 tunnel vd[root] ip[10.10.11.130] app session idx[2]
[276:root:1f1]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[276:root:1f1]Destroy sconn 0x547f7e00, connSize=1. (root)
[276:root:1f1]SSL state:warning close notify (4.3.2.1)
[277:root:1f1]allocSSLConn:310 sconn 0x547f8400 (0:root)
[277:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f1]got SNI server name: example.com realm (null)
[277:root:1f1]client cert requirement: yes
[277:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]got SNI server name: example.com realm (null)
[277:root:1f1]client cert requirement: yes
[277:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write finished (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS read finished (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[277:root:1f1]No client certificate
[277:root:1f1]req: /remote/sslvpn-tunnel2?uuid=32190D99E7FE
[277:root:1f1]sslvpn_tunnel2_handler,60, Calling rmt_conn_access_ex.
[277:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f1]normal tunnel2 request received.
[277:root:1f1]sslvpn_tunnel2_handler,171, fct_uuid = 32190D99E7FE50D09A8AB7C68CAB46F8
[277:root:1f1]sslvpn_tunnel2_handler,179, Calling tunnel2 with hostname (null).
[277:root:1f1]tunnel2_enter:1558 0x547f8400:0x5417dc00 sslvpn user[milenco,cn=milenco],type 32,logintime 0 vd 0 vrf 0
[277:root:1f1]tun dev (ssl.root) opened (32)
[277:root:1f1]fsv_associate_fd_to_ipaddr:2335 associate 10.10.11.130 to tun (ssl.root:32)
[277:root:1f1]proxy arp: scanning 13 interfaces for IP 10.10.11.130
[277:root:1f1]no ethernet address for proxy ARP
[277:root:1f1]sslvpn_user_match:1171 add user milenco in group vpn_admins
[277:root:1f1]Will add auth policy for policy 29
[277:root:1f1]sslvpn_user_match:1171 add user milenco in group vpn_admins
[277:root:1f1]Will add auth policy for policy 25
[277:root:1f1]sslvpn_user_match:1171 add user milenco in group vpn_admins
[277:root:1f1]Will add auth policy for policy 18
[277:root:1f1]Add auth logon for user milenco,cn=milenco:vpn_admins, matched group number 1

This is the relevant part from my firewall config:

config vpn ssl settings
    set reqclientcert enable
    set ssl-min-proto-ver tls1-1
    set servercert "star.example.com.2023-2024"
    set idle-timeout 7200
    set tunnel-ip-pools "vpn_address_user" "vpn_address_admin"
    set dns-server1 8.8.8.8
    set dns-server2 9.9.9.9
    set source-interface "wan1" "wan2"
    set source-address "Belgium" "England" "France" "Germany" "Luxembourg" "Netherlands" "vlan_office address" "vlan_server address"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "vpn_users"
            set portal "vpn-access"
        next
        edit 2
            set groups "vpn_admins"
            set portal "full-access"
        next
    end
end

The set reqclientcert enable command causes the client cert requirement: yes notifcation in the log. So I believe when certificates are forced the username/password gets ignored. I'm not sure if it's possible to optional supply client cert's. If not, forced authentication using certificates can be used if a certifcate is supplied.

Hope this helps.

@mrbaseman
Copy link
Collaborator

I wonder whether there are cases where both the certificate and the username/password are required. Otherwise, we could force authentication with the certificate when or at least emit a warning if user/password are passed as arguments in addition to the user certificate.

I have been using username/password and certificate in combination. This not truly a second factor because all the credentials reside on the same client device, but it's at least a good protection against a simple password leak. I still have that VPN running, but I must admit that I haven't used it for a while.

@Milenco
Copy link
Author

Milenco commented Mar 20, 2024

I wonder whether there are cases where both the certificate and the username/password are required. Otherwise, we could force authentication with the certificate when or at least emit a warning if user/password are passed as arguments in addition to the user certificate.

I have been using username/password and certificate in combination. This not truly a second factor because all the credentials reside on the same client device, but it's at least a good protection against a simple password leak. I still have that VPN running, but I must admit that I haven't used it for a while.

So using a different username or password in combination with your certificate actual fails to log you in? Because I can't replicate that behavior, but it's very well possible it's because of my configuration.

@mrbaseman
Copy link
Collaborator

So using a different username or password in combination with your certificate actual fails to log you in? Because I can't replicate that behavior, but it's very well possible it's because of my configuration.

I think so, but I'll try that out. Unfortunately that VPN doesn't respond at all right now. I have to check on-site what's the problem.

Maybe an important detail: in this case users and groups are local ones on the Fortigate. If authentication happens via LDAP or AD things might be different. But I'll check it for local users/groups when I get that setup working again.

@mrbaseman
Copy link
Collaborator

Finally I had the chance to do the promised double-check: With a local user on the Fortigate with certificate authentication and user/password, the certificate and the password must match. If a wrong password is entered, the authentication is aborted:

DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.

@Milenco
Copy link
Author

Milenco commented Apr 15, 2024

Thanks dor reporting back! So both methods (just a certificate as well as certificate+user/pass) must be supported.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants