SSL Inspection question (iPhone iOS 16)?
- SSL Inspection Server signed certificate key mode was set to ECDSA-RSA-2048.
- Done.
Accepted Solution
-
Hi @Ensto
We built a lab and can reproduce this symptom as well.Topology:
USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.
But cannot access App Store and megabank app, as below:
It means the internet connection goes wrong, please check your internet status.
Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward
We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
https://www.rfc-editor.org/rfc/rfc5246We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.
Then can access to App store and bank app without problem.
I can access the megabank app when enabling SSL Inspection, as below:
The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."
Thanks.See how you've made an impact in Zyxel Community this year!
0
All Replies
-
Hi @Ensto(1). Could you share the screenshot of Apps(App store, bank app, nation ID app, home security) that are not working? And the screenshots of "untrusted certificate chain" flag message.(2). During that time, are there any suspicious logs that can be observed on the USG Flex100’s Monitor log(Monitor > Log > View Log)? Please share the screenshots with us, too.(3). How long is the assumed block time(“ the App Store even stops working within a certain time period after the SSL inspection rule is disabled/removed and iPhone is rebooted”) that you mentioned it? How did you recover it? By rebooting USG Flex100 or another way?Thanks.
See how you've made an impact in Zyxel Community this year!
0 -
Zyxel_Jeff said:Hi @Ensto(1). Could you share the screenshot of Apps(App store, bank app, nation ID app, home security) that are not working? And the screenshots of "untrusted certificate chain" flag message.(2). During that time, are there any suspicious logs that can be observed on the USG Flex100’s Monitor log(Monitor > Log > View Log)? Please share the screenshots with us, too.(3). How long is the assumed block time(“ the App Store even stops working within a certain time period after the SSL inspection rule is disabled/removed and iPhone is rebooted”) that you mentioned it? How did you recover it? By rebooting USG Flex100 or another way?Thanks.
This is when trying to use Apple App Store:
This is when trying to use BankID:
This is when trying to use Tuya Smart:
Now this app in particular creates almost 80 log post in about one second.
2. There is no suspicious activity in the ''all logs tab''. Only common scanning blocks from around the world as usual and my VPN IKE connection running all the time.
3. We can rule this ''block time'' out, I was not able to re-create the same scenario today. But I noticed that all my other devices on the interface's with the SSL Inspection rule active on it which doesn't have the self-signed certificate added in their root directory will not be able to connect to WAN properly as shown below:
When trying to access a swedish newspaper site with EDGE browser (win 11) on my PC which don't have the certificate installed:
When trying to use the native email client on my iPad which don't have the certificate installed:
0 -
Hi @Ensto
We built a lab and can reproduce this symptom as well.Topology:
USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.
But cannot access App Store and megabank app, as below:
It means the internet connection goes wrong, please check your internet status.
Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward
We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
https://www.rfc-editor.org/rfc/rfc5246We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.
Then can access to App store and bank app without problem.
I can access the megabank app when enabling SSL Inspection, as below:
The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."
Thanks.See how you've made an impact in Zyxel Community this year!
0 -
Zyxel_Jeff said:Hi @Ensto
We built a lab and can reproduce this symptom as well.Topology:
USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.
But cannot access App Store and megabank app, as below:
It means the internet connection goes wrong, please check your internet status.
Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward
We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
https://www.rfc-editor.org/rfc/rfc5246We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.
Then can access to App store and bank app without problem.
I can access the megabank app when enabling SSL Inspection, as below:
The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."
Thanks.
Thanks for looking at it. Your test lab setup reproduces the exact same scenario as I experienced.
I can also verify that the work around with the ''exclude list'' did work for me as well.
The purpose of my test was to eventually setup SSL Inspection on all of our company mobile devices which support adding root certificate but lacks the support of installing IDS and anti-virus software. But having to maintain an exclude list won't work for us. I can only imagine the issues of when someone's app or webpage isn't working.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight