SSL Inspection question (iPhone iOS 16)?

Zyxel_Jeff said:

Hi @Ensto

(1). Could you share the screenshot of Apps(App store, bank app, nation ID app, home security) that are not working? And the screenshots of "untrusted certificate chain" flag message.

(2). During that time, are there any suspicious logs that can be observed on the USG Flex100’s Monitor log(Monitor > Log > View Log)? Please share the screenshots with us, too.

(3). How long is the assumed block time(“ the App Store even stops working within a certain time period after the SSL inspection rule is disabled/removed and iPhone is rebooted”) that you mentioned it? How did you recover it? By rebooting USG Flex100 or another way?

Thanks.

1. I don't have any screenshot of apps but the apps are: App Store (native iOS 16), BankID (most used digital ID in Sweden), Tuya Smart (IoT sensors like smoke detectors).

This is when trying to use Apple App Store:


This is when trying to use BankID:


This is when trying to use Tuya Smart:
Now this app in particular creates almost 80 log post in about one second.


2. There is no suspicious activity in the ''all logs tab''. Only common scanning blocks from around the world as usual and my VPN IKE connection running all the time.



3. We can rule this ''block time'' out, I was not able to re-create the same scenario today. But I noticed that all my other devices on the interface's with the SSL Inspection rule active on it which doesn't have the self-signed certificate added in their root directory will not be able to connect to WAN properly as shown below:

When trying to access a swedish newspaper site with EDGE browser (win 11) on my PC which don't have the certificate installed:


When trying to use the native email client on my iPad which don't have the certificate installed:

Zyxel_Jeff said:

Hi @Ensto

We built a lab and can reproduce this symptom as well.

Topology:

USG Flex 200(enables SSL Inspection)(LAN: 192.168.1.1/24) > (WAN:192.168.1.33)USG60W(LAN2:192.168.88.1/24) > iphone 8 plus (iOS16) (192.168.88.33) and import USG 200’s certificate .p12 file.

But cannot access App Store and megabank app, as below:

 

It means the internet connection goes wrong, please check your internet status. 

Monitor Log shows Pass untrusted certificate chain [server] connection. Rule_id:3 , access forward

We found the root cause is during TLS handshake, the app store or bank server will need a request certificate, and the USG Flex device will return its certificate to the server rather than the end client's certificate, so the connection won't be established.
 
https://www.rfc-editor.org/rfc/rfc5246

We suggest you can add trusted URLs to the Exclude List of SSL Inspection, as below I added apple and megabank URLs to bypass SSL Inspection.

Then can access to App store and bank app without problem.


I can access the megabank app when enabling SSL Inspection, as below:


The Monitor log shows "The identity of server certificate is in the exclude list. Pass this connection."


Thanks.

Hi @Zyxel_Jeff


 Thanks for looking at it. Your test lab setup reproduces the exact same scenario as I experienced.
I can also verify that the work around with the ''exclude list'' did work for me as well.

The purpose of my test was to eventually setup SSL Inspection on all of our company mobile devices which support adding root certificate but lacks the support of installing IDS and anti-virus software. But having to maintain an exclude list won't work for us. I can only imagine the issues of when someone's app or webpage isn't working.