Attack > SSL/TLS error messages

SSL/TLS error messages

If you are configuring HTTPS for the first time, and there are configuration errors still, you might see some SSL or TLS-related error messages. Because they are rare and tend to indicate a potential attack attempt, they are located in the attack logs, except for cipher or key exchange errors, which tend to be traffic flow problems (see Traffic).

Although the ID (log_id) is the same for all HTTPS connection errors (20000052), the Message (msg) field varies by the cause.

HTTPS attack log messages

Message

(msg)

Cause & description
X509 Error 2 - Unable to get issuer certificate The CA’s certificate does not exist in the store of trusted CAs (System > Certificates > CA), nor is it included in a signing chain within the certificate file.
X509 Error 3 - Unable to get certificate CRL Unable to get certificate CRL. The CRL of a certificate could not be found. Unused.
X509 Error 4 - The certificate signature could not be decrypted.

The certificate’s signature value could not be determined, and therefore it could not be decrypted. It does not mean that the signature did not match the expected value.

This applies only to RSA keys.

X509 Error 5 - The CRL signature could not be decrypted Unable to decrypt CRL's signature the CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused.
X509 Error 6 - Unable to decode issuer public key The public key in the certificate’s CA’s Subject Public Key Info: field could not be read.
X509 Error 7 - Certificate signature failure The certificate’s signature is invalid.
X509 Error 8 - CRL signature failure The signature of the certificate in the CRL is invalid. Unused.
X509 Error 9 - Certificate is not yet valid The certificate’s Not Before: field is after the current time and date.
X509 Error 10 - Certificate has expired The certificate’s Not After: field is after the current time and date.
X509 Error 11 - CRL is not yet valid CRL is not yet valid the CRL is not yet valid. Unused.
X509 Error 12 - CRL has expired CRL has expired the CRL has expired. Unused.
X509 Error 13 - Format error. The certificate notBefore field contains an invalid time The certificate’s Not Before: field contains an invalid time.
X509 Error 14 - Format error. The certificate notAfter field contains an invalid time The certificate’s Not After: field contains an invalid time.
X509 Error 15 - Format error. The CRL lastUpdate field contains an invalid time Format error in URL's lastUpdate field. The CRL lastUpdate field contains an invalid time. Unused.
X509 Error 16 - Format error. The CRL nextUpdate field contains an invalid time Format error in CRL's nextUpdate field. The CRL nextUpdate field contains an invalid time. Unused.
X509 Error 17 - An error occurred trying to allocate memory

FortiWeb is out of memory.

This should never happen.

X509 Error 18 - Certificate is self signed and the same certificate cannot be found in the list of trusted certificates The certificate is self-signed meaning that it is acting as its own CA. However, the certificate does not exist in the store of trusted CAs (System > Certificates > CA).
X509 Error 19 – Root certificate could not be found locally

The certificate contains a signing chain that is not complete.

The certificate’s signing chain must terminate with the certificate of a CA that is trusted by FortiWeb (System > Certificates > CA).

X509 Error 20 - Issuer certificate could not be found The certificate indicates an Issuer: field (CA), so it should not be self-signed. However, the certificate’s signing chain does not contain that issuing CA’s certificate.
X509 Error 21 - No signatures could be verified. Chain contains only one certificate and it is not self signed The certificate’s signing chain contains only one certificate. However, the certificate is not a self-signed certificate.
X509 Error 22 - Certificate chain too long The certificate chain length is greater than the supplied maximum depth. Unused.
X509 Error 23 - The certificate has been revoked The certificate has been revoked. Unused.
X509 Error 24 - Invalid CA certificate Either the CA’s certificate is not actually from a CA, or its extensions are not consistent with the supplied purpose.
X509 Error 25 - Path length constraint exceeded The certificate’s Basic Constraints: field’s Path Length Constraint= parameter was exceeded.
X509 Error 26 - Unsupported certificate The certificate’s Key Usage: field or Enhanced Key Usage: field does not match FortiWeb’s purpose. This could occur if, for example, an email signing certificate were to be accidentally used as a server certificate.
X509 Error 27 - Certificate not trusted The root CA’s certificate is not marked as trusted for the certificate’s purpose (Certificate Usage: field).
X509 Error 28 - Certificate rejected. The root CA’s certificate is marked to reject the certificate’s purpose (Certificate Usage: field).
X509 Error 29 - Subject issuer mismatch The current candidate issuer certificate was rejected because its Subject: name did not match the Issuer: name of the current certificate. Only displayed when the -issuer_checks option is set.
X509 Error 30 - Authority and subject key identifier mismatch The current candidate issuer certificate was rejected because its Subject Key Identifier: was present and did not match the Authority Key Identifier: current certificate. Only displayed when the -issuer_checks option is set.
X509 Error 31 - Authority and issuer serial number mismatch The current candidate issuer certificate was rejected because its Issuer: name and Serial Number: field was present and did not match the Authority Key Identifier: of the current certificate. Only displayed when the -issuer_checks option is set.
X509 Error 32 - Key usage does not include certificate signing The certificate of the CA currently being examined in the signing chain was rejected because its Key Usage: extension does not permit certificate signing.
X509 Error 50 - Application verification failure Application verification failure an application specific error. Unused.
X509 Error 52 - Get client certificate failed FortiWeb does not have the certificate of the CA that signed the personal certificate in its store of trusted CAs (System > Certificates > CA), and therefore cannot verify the personal certificate.
X509 Error 53 - Protocol error The client did not present its personal certificate to FortiWeb. This could be caused by the client not having its personal certificate properly installed.