This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
SSL Decryption with iOS 13 Devices
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- SSL Decryption with iOS 13 Devices
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSL Decryption with iOS 13 Devices
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-10-2019 02:26 PM
We began testing of the iOS 13 beta last week on several test devices that are connected to our internal mobile device network. This network passes traffic through the Palo with SSL decryption. We are finding that iOS 13, even with our cert installed on the device via MDM, does NOT accept the decrypt cert. We are still testing, but so far we have found several applications that will not work (some give errors, some just don't do anything), Safari will not open HTTPS sites, and our MDM environment cannot send commands to the devices. In all cases, once we take the device off of the internal WiFi, eliminating SSL decrypt, everything works.
I have not yet been able to find any documentation from Apple indicating that they are enforcing certificate pinning across the OS, but it sure seems like they might be. Has anyone else encountered this yet?
Thanks
23 REPLIES 23
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-07-2020 12:52 AM
Hi Bpry,
I am trying to apply the requirements to my Palaolto self-generated certificate but I wonder if you can help me on how to apply/configure the following requirement. Can you share more information on how to apply these requirements on the firewall?
TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-15-2020 12:37 AM
Where you able to generate the certificate with these requirement from the firewall? Or did you have to use for instance OpenSSL or generate a CSR and get the proper cert from a CA?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-15-2020 12:44 AM
Have you tried changing the certificate settings on the Mac itself? I changed them to Use System default on my Catalina and it started working. Mind you this was for authentication to global protect but it still may be worth a shot.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-15-2020 02:20 PM
I also had this problem on my iPhone (13.5.1) and the Global Protect app. After successfully establishing a connection to my company network most websites would not load and displayed a certificate error due to SSL decryption. Here is the resolution:
1. Verify that your certificate profile is showing up under Settings > General > Profile. You should have been prompted to install this when connecting to GP for the first time.
2. This is the part that I was missing. Settings > General > About > Certificate Trust Settings (scroll to the bottom).
3. "Enable Full Trust" for your GP root certificate.
Once I did this I could browse to any site without certificate issues. Good luck!
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-15-2020 10:16 PM
So you have to change these settings on the IOS device itself? Were you able to use a self-signed certificate? did you still have to meet the requirements set in this link?
https://support.apple.com/en-us/HT210176
Really appreciate your response, thank you!
Related Content
- Offboard/Remove devices from AIOPS in AIOps for NGFW Discussions
- Cortex XDR disabling itself in Cortex XDR Discussions
- USB connectivity in XQL in Endpoint (Traps) Discussions
- Cortex XDR agent installation suggestions for a Proxmox host and its LXC containers in Cortex XDR Discussions
- Where to see graphs of peak bandwidth usage? in Next-Generation Firewall Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks