Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)
A.
The host field in the HTTP header.
B.
The server name indication (SNI) extension in the client hello message.
C.
The subject alternative name (SAN) field in the server certificate.
Correct Answers:
B. The server name indication (SNI) extension in the client hello message.
C. The subject alternative name (SAN) field in the server certificate.
D. The subject field in the server certificate.
Key Points:
B: SNI identifies the hostname in the TLS handshake.
C: SAN field specifies the hostname in the certificate.
D: Subject field may also contain the hostname.
A and E: Not relevant for hostname identification.
B,C,D - Related to Training Fortigate Administrator - Certificate Operations:
When using SSL certificate inspection, FortiGate is not decrypting the traffic. During the exchange of hello messages at the beginning of an SSL handshake, FortiGate parses the server name indication (SNI) from client Hello, which is an extension of the TLS protocol. The SNI tells FortiGate the hostname of the SSL server, which is validated against the DNS name before receipt of the server certificate. If there is no SNI exchanged, then FortiGate identifies the server by the value in the server by the value in the Subject field or SAN (Subject Alternative Name) field in the server certificate.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rigonet
3 weeks, 1 day agosxcap
1 month, 1 week agovuhidus
1 month, 2 weeks agos4mu3l007
2 months agohassan76
2 months, 1 week agomiguelmagr
3 months, 1 week agogimy19
3 months, 2 weeks ago