Is there a solution or work around for SSL Inspection for "Big Sur"?

kunz
kunz Posts: 32  Freshman Member
First Comment Friend Collector Third Anniversary
edited April 2021 in Security
Hi

Using an APT500, what is the solution for Apple clients like "Big Sur" for SSL Inspection?

Thanks...

All Replies

  • kunz
    kunz Posts: 32  Freshman Member
    First Comment Friend Collector Third Anniversary
    We bought this ATP500 thinking all our device clients would benefit from the SSL Inspection...but it looks like we will have to try a different solution.
  • kunz
    kunz Posts: 32  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited December 2020
    We thought it was a catch all for all client platforms. May that be Windows, MacOS, Linux, Android or iOS. But it seems "Big Sur" is not supported. SSL Inspection. Certificate problem. What to do now. Disappointed.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @kunz

    You can follow these steps to generate and import certificate on Mac and work with SSL inspection.
    (1) Generate certificate. (Configuration > Object > Certificate)

    (2) Create SSL inspection profile (Configuration > Security Service > SSL Inspection)

    (3) Create policy control rule for your client (Configuration > Security Policy > Policy Control)

    (4) Export certificate to your Mac.(Export certificate with private key and change file type as .p12)

    (5) Import certificate to your Mac by "KeyChain Access" and trust it.

    After these steps, you may access to HTTPS WebSite and have a check if certificate has replaced as new one.

  • kunz
    kunz Posts: 32  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hi @Zyxel_Stanley

    Many thanks for your kind reply to my query...

    I noticed when I use the "default.crt", the Safari web browser seems to use with the SSL Inspection slow sometimes and sometimes fast, but ok with me.

    My concern also are the following, the non functionality of these features with the Mac when SSL Inspection is enabled, the "App Store". iCloud. AppleID, System Update,etc. 

    If I disable SSL Inspection, all of them seem to work again...the "App Store". iCloud. AppleID, System Update,etc.

    In this recommendation you would like me to create a new crt for Macs, is the Key length 2048 ok? 

    I had read a similar article on apple support, NOT this one... https://support.apple.com/guide/keychain-access/create-self-signed-certificates-kyca8916/11.0/mac/11.0

    It seems "RSA keys up to 4096 bits. RSA keys smaller than 2048 bits are no longer supported."

    As I can't find the particular exact one as that was a few days ago and was not able to bookmark it. but also mentioned something about the 4096 bits if I remember correctly
    ,and something about the validity in days, etc...

    Your work around, will it work with my issues?

    Will they work with the "App Store". iCloud. AppleID, System Update,etc. when SSL Inspection is enabled? 

    What is the difference with the "default.crt" and a new one to be generated if they have the same key length?


    My apologies for my questions as I want this to work out...


    Again, many thanks for your patience and kind reply.


    kunz

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited December 2020

    Hi @kunz  

    Yes, you can generate certificate by Mac. But current ATP support maximum key length is up to 2048. Mac system no longer support key length less than 2048.


    According to some of Apple websites doesn’t work after SSL inspection is enabled.

    The reason is because Web Server deny the traffic those certificate has replaced. (https://support.apple.com/en-us/HT210060)

    You can exclude the website by: Monitor > SSL Inspection > Certificate Cache List.

    After added certificate into exclude list, then ATP will not replace certificate during you access the Web Site. (And it means web site is unable to inspect)


  • kunz
    kunz Posts: 32  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hi @Zyxel_Stanley,

    Ok,many thanks...

Security Highlight