https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-www-apple-com/m-p/424437#M94258 <P>We are testing SSL decryption and are finding that Macs are getting a certificate warning page when visiting <A href="https://www.apple.com" target="_blank">https://www.apple.com</A>.&nbsp; The warning says "This website may be impersonating "<A href="http://www.apple.com" target="_blank">www.apple.com</A>" to steal your personal or financial information".&nbsp; These Macs do trust our Root CA, so it's not that.&nbsp; I put "<A href="http://www.apple.com" target="_blank">www.apple.com</A>" in the SSL Decryption Exclusion list and that resolved it.</P><P>&nbsp;</P><P>Anyone know what is causing this warning? Is it certificate pinning? A couple of our Mac testers also reported that they could not download the Big Sur update over GlobalProtect(<A href="http://www.apple.com" target="_blank">www.apple.com</A> was not yet in the exclusion list).&nbsp; Does the Palo need <A href="http://www.apple.com(and" target="_blank">www.apple.com(and</A>&nbsp;maybe others) added to the SSL Decryption Exclusion list in order for Mac updates to work?</P> Wed, 04 Aug 2021 13:25:36 GMT jambulo 2021-08-04T13:25:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-www-apple-com/m-p/424437#M94258 <P>We are testing SSL decryption and are finding that Macs are getting a certificate warning page when visiting <A href="https://www.apple.com" target="_blank">https://www.apple.com</A>.&nbsp; The warning says "This website may be impersonating "<A href="http://www.apple.com" target="_blank">www.apple.com</A>" to steal your personal or financial information".&nbsp; These Macs do trust our Root CA, so it's not that.&nbsp; I put "<A href="http://www.apple.com" target="_blank">www.apple.com</A>" in the SSL Decryption Exclusion list and that resolved it.</P><P>&nbsp;</P><P>Anyone know what is causing this warning? Is it certificate pinning? A couple of our Mac testers also reported that they could not download the Big Sur update over GlobalProtect(<A href="http://www.apple.com" target="_blank">www.apple.com</A> was not yet in the exclusion list).&nbsp; Does the Palo need <A href="http://www.apple.com(and" target="_blank">www.apple.com(and</A>&nbsp;maybe others) added to the SSL Decryption Exclusion list in order for Mac updates to work?</P> Wed, 04 Aug 2021 13:25:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-www-apple-com/m-p/424437#M94258 jambulo 2021-08-04T13:25:36Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-www-apple-com/m-p/424538#M94259 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7542">@jambulo</a>,</P><P>If the users are using Safari they'll receive that error unless you exclude the site from decryption, if they utilize something like Chrome or Edge then you won't see that warning.&nbsp;</P><P>Generally speaking there's not a lot of Apple services that support being decrypted, and I generally just recommend people bypass decryption for this traffic. Apple does a really good job publishing the exceptions that you need to create <A href="https://support.apple.com/en-us/HT210060" target="_self">HERE</A></P> Wed, 04 Aug 2021 17:44:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-and-www-apple-com/m-p/424538#M94259 BPry 2021-08-04T17:44:36Z