This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
SSL Decryption with iOS 13 Devices
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- SSL Decryption with iOS 13 Devices
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
SSL Decryption with iOS 13 Devices
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
06-10-2019 02:26 PM
We began testing of the iOS 13 beta last week on several test devices that are connected to our internal mobile device network. This network passes traffic through the Palo with SSL decryption. We are finding that iOS 13, even with our cert installed on the device via MDM, does NOT accept the decrypt cert. We are still testing, but so far we have found several applications that will not work (some give errors, some just don't do anything), Safari will not open HTTPS sites, and our MDM environment cannot send commands to the devices. In all cases, once we take the device off of the internal WiFi, eliminating SSL decrypt, everything works.
I have not yet been able to find any documentation from Apple indicating that they are enforcing certificate pinning across the OS, but it sure seems like they might be. Has anyone else encountered this yet?
Thanks
23 REPLIES 23
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-31-2022 02:18 PM
@LAYER_8 Thanks for your reply. Yes, we did try to import the Root CA and new SubCA onto the iOS device but no luck. The new SubCA is signed by the same Root CA as the original certificate that was working before it expired.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-01-2022 10:50 AM
If you don't mind me asking, who is the root CA?
Let's encrypt X1 CA expired so they allowed for multiple paths/chains of custody and this continues to break many devices as applications see a default path to an expired cert and block the session.
Help the community! Add tags & mark solutions please.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
02-04-2022 01:01 PM
And you are able to confirm those certificates have EKUs on them? That's really strange
Help the community! Add tags & mark solutions please.
Related Content
- Cortex XDR disabling itself in Cortex XDR Discussions
- USB connectivity in XQL in Endpoint (Traps) Discussions
- Cortex XDR agent installation suggestions for a Proxmox host and its LXC containers in Cortex XDR Discussions
- Where to see graphs of peak bandwidth usage? in Next-Generation Firewall Discussions
- Global Protect IOS, MACOS in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks