Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

Which three pieces of information does FortiGate use to identify the hostname of the SSL server when SSL certificate inspection is enabled? (Choose three.)

A. The subject field in the server certificate

B. The serial number in the server certificate

C. The server name indication (SNI) extension in the client hello message

D. The subject alternative name (SAN) field in the server certificate

E. The host field in the HTTP header

View Answer

Answer: A,C,D

Explanation:

When SSL certificate inspection is enabled, FortiGate uses the following three pieces of information to identify the hostname of the SSL server:

A. The subject field in the server certificate

The subject field typically contains the common name (CN) that represents the hostname.

C. The server name indication (SNI) extension in the client hello message

SNI is an extension to the TLS protocol that indicates the hostname to which the client is attempting to connect.

D. The subject alternative name (SAN) field in the server certificate

The SAN field can include additional hostnames (alternative names) that are valid for the certificate.

So, the correct choices are A, C, and D.

Fortigate firtsly uses SNI, if there is no SNI it uses Subject or Subject Alternatives.

During the exchange of hello messages at the beginning of an SSL handshake, FortiGate parses server name indication (SNI) from client Hello, which is an extension of the TLS protocol. The SNI tells FortiGate the hostname of the SSL server, which is validated against the DNS name before receipt of the server certificate. If there is no SNI exchanged, then FortiGate identifies the server by the value in the Subject field or SAN (subject alternative name) field in the server certificate.