SSL Inspection question (iPhone iOS 16)?

Options
Ensto
Ensto Posts: 20  Freshman Member
First Anniversary 10 Comments Friend Collector
edited October 2022 in Security
Hi.

I've been experimenting with SSL Inspection on my iPhone (iOS 16) and it seems to work most of the time (traffic is being inspected as it should be). But some apps like Apple App Store, banking apps, national ID apps, home security apps and so on always seem to have an "untrusted certificate chain" flag when checking the router logs. And these apps in particular often stop working and won't connect even if the "untrusted certificate chain" setting is set to pass in the SSL Inspection profile.

In particular, the App Store even stops working within a certain time period after the SSL inspection rule is disabled/removed and iPhone is rebooted. As if my IP-adress is being blocked (app is working when swithing to cellular in the period of assumed block time).

For the SSL inspection testing I did as follows:
- Created a self-signed certificate on my Zyxel device (USG FLEX 100, V5.31(ABWC.0)
Key type ECDSA-SHA384, key length 384 bits, 5 years valid.

- Exported the certificate (no password/no public key) and imported it to my iPhone.

- Granted the certificate as a root certificate on the iPhone.

- Configured an ssl inspection profile with default settings and set the created self-signed certificate to be used with the profile, added the profile on a proper security policy rule.

- SSL Inspection Server signed certificate key mode was set to ECDSA-RSA-2048.

- Done.



Question:

Is it possible that some apps or web servers that the apps connect to can detect SSL Inspection as a threat/data integrity check failure (man-in-the-middle-manipulation) because of the self-signed certificate and thereby is prevented from connecting correctly?

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2022 Answer ✓
    Options
    Hi @Ensto

    We built a lab and can reproduce this symptom as well.

    Topology:

    USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.

    But cannot access App Store and megabank app, as below:

     

    It means the internet connection goes wrong, please check your internet status. 


    Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward



    We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
     
    https://www.rfc-editor.org/rfc/rfc5246

    We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.


    Then can access to App store and bank app without problem.


    I can access the megabank app when enabling SSL Inspection, as below:


    The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."


    Thanks.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Ensto

    (1). Could you share the screenshot of Apps(App store, bank app, nation ID app, home security) that are not working? And the screenshots of "untrusted certificate chain" flag message.
    (2). During that time, are there any suspicious logs that can be observed on the USG Flex100’s Monitor log(Monitor > Log > View Log)? Please share the screenshots with us, too.
    (3). How long is the assumed block time(“ the App Store even stops working within a certain time period after the SSL inspection rule is disabled/removed and iPhone is rebooted”) that you mentioned it? How did you recover it? By rebooting USG Flex100 or another way?
    Thanks.

  • Ensto
    Ensto Posts: 20  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hi @Ensto

    (1). Could you share the screenshot of Apps(App store, bank app, nation ID app, home security) that are not working? And the screenshots of "untrusted certificate chain" flag message.
    (2). During that time, are there any suspicious logs that can be observed on the USG Flex100’s Monitor log(Monitor > Log > View Log)? Please share the screenshots with us, too.
    (3). How long is the assumed block time(“ the App Store even stops working within a certain time period after the SSL inspection rule is disabled/removed and iPhone is rebooted”) that you mentioned it? How did you recover it? By rebooting USG Flex100 or another way?
    Thanks.

    1. I don't have any screenshot of apps but the apps are: App Store (native iOS 16), BankID (most used digital ID in Sweden), Tuya Smart (IoT sensors like smoke detectors).

    This is when trying to use Apple App Store:


    This is when trying to use BankID:


    This is when trying to use Tuya Smart:
    Now this app in particular creates almost 80 log post in about one second.


    2. There is no suspicious activity in the ''all logs tab''. Only common scanning blocks from around the world as usual and my VPN IKE connection running all the time.



    3. We can rule this ''block time'' out, I was not able to re-create the same scenario today. But I noticed that all my other devices on the interface's with the SSL Inspection rule active on it which doesn't have the self-signed certificate added in their root directory will not be able to connect to WAN properly as shown below:

    When trying to access a swedish newspaper site with EDGE browser (win 11) on my PC which don't have the certificate installed:


    When trying to use the native email client on my iPad which don't have the certificate installed:

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2022 Answer ✓
    Options
    Hi @Ensto

    We built a lab and can reproduce this symptom as well.

    Topology:

    USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.

    But cannot access App Store and megabank app, as below:

     

    It means the internet connection goes wrong, please check your internet status. 


    Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward



    We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
     
    https://www.rfc-editor.org/rfc/rfc5246

    We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.


    Then can access to App store and bank app without problem.


    I can access the megabank app when enabling SSL Inspection, as below:


    The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."


    Thanks.
  • Ensto
    Ensto Posts: 20  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited October 2022
    Options
    Hi @Ensto

    We built a lab and can reproduce this symptom as well.

    Topology:

    USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.

    But cannot access App Store and megabank app, as below:

     

    It means the internet connection goes wrong, please check your internet status. 


    Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward



    We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
     
    https://www.rfc-editor.org/rfc/rfc5246

    We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.


    Then can access to App store and bank app without problem.


    I can access the megabank app when enabling SSL Inspection, as below:


    The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."


    Thanks.
    Hi @Zyxel_Jeff


     Thanks for looking at it. Your test lab setup reproduces the exact same scenario as I experienced.
    I can also verify that the work around with the ''exclude list'' did work for me as well.

    The purpose of my test was to eventually setup SSL Inspection on all of our company mobile devices which support adding root certificate but lacks the support of installing IDS and anti-virus software. But having to maintain an exclude list won't work for us. I can only imagine the issues of when someone's app or webpage isn't working.

Security Highlight