Obviously this all is just some strange security by obscurity as the key unlock password to fortisslclient.key must be somewhere stored or hardcoded in FortiClient but after all I am not a pentester but just a normal user that wants a nice and working linux client. Even though I have access to these files i cannot trivially use them to authenticate my mitmproxy to the real server as I am missing the password to unlock the fortisslclient.key private key file. These are not user/customer specific files but files they seem to be identical in every forticlient installer. The official client uses the files fortisslclient.crt and fortisslclient.key as a SSL client authentication (which also shows in the official logs). I conjecture that newer fortios versions (or at least the particular config I am dealing with) check the client certificates (important: I am not talking about the "user-cert/key" but an independent layer of "client" authentication). I went so far to set up a mitmproxy trying to log the real traffic from the working official client but funnily in this scenario the POST /remote/logincheck from the working 'legit' client now also returns a 405 Method Not Allowed. Meanwhile openforticlient -vv shows that the POST /remote/logincheck returns an 405 Method Not Allowed HTTP error. I also have a similar issue i am struggeling with since our gateway got upgraded to fortios according to the debug logfile taken from an official and legit FortiClient running on Windows.
How can I get a dump for example from the official Windows clients requests? I would like to support to include this new protocol. I managed to hack the SVPNTMPCOOKIE into the next request to /remote/index but get an "HTTP 403 Forbidden". There is an empty SVPNCOOKIE (there is even a space in front, so that openfortivpn can no longer find this cookie name). Ret=1,redir=/remote/hostcheck_install?auth_type=16&user=&portal=&rip=&realm= Strict-Transport-Security: max-age=31536000 Set-Cookie: SVPNTMPCOOKIE=Q4tKTm4cVlSjXJwBCjs93tjKa0UtbN7h22oZecuAN3TZL2AK7vA9310XnikrAwZT45ypILXfWI6EVJi467wrK4TLeor2JLDGsvwIliWXV+iP6SZK5vhctpeAcnq99JOEs2vuSudZfbldsY4x9P05NA7ZhRAyiR28A5W8c6ekEVvPb44PDUs1NnS+Tu8GbMkvaHyEl4vU5iDGW1wCSOWsW8aJILCh3JCgXOLRtI1x/Fg77YPypFrQEDhV8uLDYj73WxASRqy8FygK path=/remote/hostcheck_install secure httponly Transfer-Encoding: chunkedĬontent-Security-Policy: frame-ancestors 'self' object-src 'self' script-src 'self' https (null) 'unsafe-eval' 'unsafe-inline' blob: Set-Cookie: SVPNNETWORKCOOKIE= path=/remote/network expires=Sun, 12:00:00 GMT secure httponly Set-Cookie: SVPNCOOKIE= path=/ expires=Sun, 12:00:00 GMT secure httponly