topic Re: SSL Decryption with iOS 13 Devices in General Topics

SSL Decryption with iOS 13 Devices

davisjj — Mon, 10 Jun 2019 21:26:55 GMT

We began testing of the iOS 13 beta last week on several test devices that are connected to our internal mobile device network. This network passes traffic through the Palo with SSL decryption. We are finding that iOS 13, even with our cert installed on the device via MDM, does NOT accept the decrypt cert. We are still testing, but so far we have found several applications that will not work (some give errors, some just don't do anything), Safari will not open HTTPS sites, and our MDM environment cannot send commands to the devices. In all cases, once we take the device off of the internal WiFi, eliminating SSL decrypt, everything works.

I have not yet been able to find any documentation from Apple indicating that they are enforcing certificate pinning across the OS, but it sure seems like they might be. Has anyone else encountered this yet?

Thanks

Re: SSL Decryption with iOS 13 Devices

BPry — Wed, 12 Jun 2019 08:11:54 GMT

@davisjj,

Just curious why you would starting testing on the initial beta while things are known to be broken and not wait until at least the public preview? This release is so Devs can actually start working with the new APIs, for what you are doing the Public Preview that's due out next month is far more appropriate for your testing.

If you look at the release notes the MDM queries not returning properly is a known issue and is currently broken within the developer preview. If Apple is enforcing Cert Pinning throughout the OS it certaintly hasn't been documented anywhere and wasn't mentioned at WWDC.

Re: SSL Decryption with iOS 13 Devices

davisjj — Thu, 13 Jun 2019 15:32:15 GMT

Thanks for the reply. I am well aware of the perils of beta 1. That's why I have multiple devices. My company does do internal iOS development, although that's a relatively recent addition.

That said, I think that IT professionals who support iOS in their environment should begin testing iOS releases as soon as they are available. It seems that Apple is starting to take this approach as well, seeing as how they are going to allow customers who are enrolled in Apple Business Manager to begin downloading the betas at the same time as developer program members. In this case, getting an early jump on things has allowed me to open up the conversation internally. We are asking, "what if" in regards to decrypt. We have also said we won't make any changes until later in the beta cycle to see if it is still an issue.

I don't have any problem living with a semi-working device for a few months. I've been doing that annually for years. My question was regarding whether or not I missed something in the WWDC presentations/docs. It sounds like I didn't, so we will take a wait and see approach. Frankly, I'd like to see them push the issue with cert pinning. I don't think it is necessary to decrypt mobile device traffic. All that leads to is users turning off their WiFi when things don't work.

Re: SSL Decryption with iOS 13 Devices

RocRaider — Fri, 18 Oct 2019 16:39:50 GMT

Did you ever find a resolution to this. We are running in to the same thing on our devices that are running iOS 13.

Re: SSL Decryption with iOS 13 Devices

lucianocf — Mon, 21 Oct 2019 21:28:02 GMT

I'm with the same problem. There is any solution?

Re: SSL Decryption with iOS 13 Devices

george.v.bowles — Wed, 23 Oct 2019 16:07:44 GMT

Same problem here. iOS 12.x devices are fine and have been for a long time. All other devices (Windows, Chromebooks, Linux, Android) with install cert are fine. iOS 13.x devices are broken. Cert is installed, trusted. We are stumped. Cannot figure out why this will not work. Had a 2 hour call with Apple on 10/17/2019 and they are having us send some extended logging info to them. Please reply if there is any additional information to share.

Re: SSL Decryption with iOS 13 Devices

RocRaider — Thu, 24 Oct 2019 18:21:21 GMT

We are seeing similar issues with macOS Catalina. Certificate is installed but we continue to get SSL errors when using safari.

Re: SSL Decryption with iOS 13 Devices

george.v.bowles — Thu, 24 Oct 2019 18:37:23 GMT

@RocRaider- We are in the same boat on the same page. Frankly, we have no idea what to do. We have 3,000 iPads and fewer than 50 MacBooks and we're not getting much help from either PaloAlto or Apple. I hope somebody figures it out soon because we have, basically, given up. If someone doesn't get this under control soon my Financial Advice would be to invest in Chromebook Manufacturers!

Re: SSL Decryption with iOS 13 Devices

BPry — Thu, 24 Oct 2019 18:42:06 GMT

Has anyone verified that you meet the new system requirements for iOS 13 and macOS 10.15? With these in place we haven't run into any issues decrypting Apple traffic, but if you don't meet one of the new requirements then this will cause the device to reject the trusted cert.

https://support.apple.com/en-us/HT210176

Re: SSL Decryption with iOS 13 Devices

george.v.bowles — Thu, 24 Oct 2019 19:24:20 GMT

Yep! First thing we did when they came out and we started having trouble.

Re: SSL Decryption with iOS 13 Devices

melbatniji — Tue, 07 Jul 2020 07:52:57 GMT

Hi Bpry,

I am trying to apply the requirements to my Palaolto self-generated certificate but I wonder if you can help me on how to apply/configure the following requirement. Can you share more information on how to apply these requirements on the firewall?

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.

Re: SSL Decryption with iOS 13 Devices

Chadi_Sleiman — Wed, 15 Jul 2020 07:37:01 GMT

Where you able to generate the certificate with these requirement from the firewall? Or did you have to use for instance OpenSSL or generate a CSR and get the proper cert from a CA?

Re: SSL Decryption with iOS 13 Devices

Chadi_Sleiman — Wed, 15 Jul 2020 07:44:08 GMT

Have you tried changing the certificate settings on the Mac itself? I changed them to Use System default on my Catalina and it started working. Mind you this was for authentication to global protect but it still may be worth a shot.

Re: SSL Decryption with iOS 13 Devices (FIXED)

NWesolowski — Wed, 15 Jul 2020 21:20:54 GMT

I also had this problem on my iPhone (13.5.1) and the Global Protect app. After successfully establishing a connection to my company network most websites would not load and displayed a certificate error due to SSL decryption. Here is the resolution:

1. Verify that your certificate profile is showing up under Settings > General > Profile. You should have been prompted to install this when connecting to GP for the first time.

2. This is the part that I was missing. Settings > General > About > Certificate Trust Settings (scroll to the bottom).

3. "Enable Full Trust" for your GP root certificate.

Once I did this I could browse to any site without certificate issues. Good luck!

Re: SSL Decryption with iOS 13 Devices (FIXED)

Chadi_Sleiman — Thu, 16 Jul 2020 05:16:37 GMT

So you have to change these settings on the IOS device itself? Were you able to use a self-signed certificate? did you still have to meet the requirements set in this link?

https://support.apple.com/en-us/HT210176

Really appreciate your response, thank you!

Re: SSL Decryption with iOS 13 Devices (FIXED)

LAYER_8 — Thu, 11 Mar 2021 16:58:54 GMT

You may struggle generating a cert on the firewall with an OID/EKU field. Some options:

Roll your own root CA. Something like this.

Or, create a file named "cert_config" with similar attributes:

[ req ]

prompt = no

distinguished_name = my dn

[ my dn ]

# The bare minimum is probably a commonName

commonName = secure.example.com

countryName = XX

localityName = Fun Land

organizationName = MyCo LLC LTD INC (d.b.a. OurCo)

organizationalUnitName = SSL Dept.

stateOrProvinceName = YY

emailAddress = ssl-admin@example.com

name = John Doe

surname = Doe

givenName = John

initials = JXD

dnQualifier = some

[ my server exts ]

extendedKeyUsage = 1.3.6.1.5.5.7.3.1

# 1.3.6.1.5.5.7.3.1 can also be spelled serverAuth:

# extendedKeyUsage = serverAuth

# see x509v3_config for other extensions

You may also want to look into more EKU attributes, for example, encipherment, decryption, etc..

Use openssl to generate the certificate:

$ openssl req -x509 -config cert_config -extensions 'my server exts' -nodes -days 365 -newkey rsa:4096 -keyout myserver.key -out myserver.crt

Source

Re: SSL Decryption with iOS 13 Devices

Ben-Price — Fri, 21 Jan 2022 03:41:18 GMT

@davisjj @george.v.bowles @RocRaider Did you guys ever find an resolution to this issue? Experiencing the same issue on IOS 14 and 15. Windows devices working fine.

Re: SSL Decryption with iOS 13 Devices

davisjj — Fri, 21 Jan 2022 13:52:57 GMT

@Ben-Price We did, sort of. The only solid solution is to not decrypt/inspect the traffic. Apple is taking a pretty strong stance that allowing any intercept is a detriment to the overall security of their platform. I think we are seeing this more and more. It's hard to argue with the logic.

Re: SSL Decryption with iOS 13 Devices

Ben-Price — Sat, 22 Jan 2022 20:49:17 GMT

@davisjj Thanks for your response.

Its strange, this was working for these iOS devices until we renewed our forward trust certificate as the old one was going to expire, Now with the new renewed certificate the iOS clients don't work. No version iOS config or version change.

Re: SSL Decryption with iOS 13 Devices

LAYER_8 — Mon, 31 Jan 2022 18:55:25 GMT

Did you import the full chain of trust to the iOS devices?

I had issues generating the cert, then fixed that, but only found in some forum later that even with your own correct CA/intermediate CA and client cert, you need all 3 as trusted on an iOS device for things to work.

With an ESM or MDM, sure that's easy. Doing it one-off with an app like configurator 2, tough times.