Hot!Certificate Inspection (Not Deep) Causes iOS App Store and iCloud Family Sharing to Fail?

Author
tanr
Gold Member
  • Total Posts : 389
  • Scores: 12
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2017/07/22 18:52:04 (permalink)
0

Certificate Inspection (Not Deep) Causes iOS App Store and iCloud Family Sharing to Fail?

Hi All,
 
Some new iOS devices are on our network now and will fail to connect to Apple's App Store, or show correct state for their iCloud Family Sharing status, while certificate inspection is turned on.
 
Turning off certificate inspection allowed everything to work, but I thought just plain certificate inspection (not deep inspection) wasn't supposed to cause a problem with Apple's certificate pinning?
 
I thought I read other cases of problems with just certificate inspection, but haven't been able to find it in the forums.
 
Any thoughts or suggestions?
 
Thanks.
#1

3 Replies Related Threads

    hmtay_FTNT
    Gold Member
    • Total Posts : 209
    • Scores: 26
    • Reward points: 0
    • Joined: 2017/02/22 11:02:10
    • Status: offline
    Re: Certificate Inspection (Not Deep) Causes iOS App Store and iCloud Family Sharing to Fa 2017/07/23 23:26:46 (permalink)
    0
    Hello tanr,
     
    With certificate-inspection, it should not cause any problems with Certificate Pinning since it is not replacing the SSL Certificate. Can you do a packet capture and look to see if there's any sessions that have the certificate replaced with FGT's certificate? I could check for you too if you can send me the pcap.
     
    Homing
    #2
    Headspinning
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: Certificate Inspection (Not Deep) Causes iOS App Store and iCloud Family Sharing to Fa 2017/11/29 01:15:25 (permalink)
    0
    We have similar issue with App Store. You will need to do some packet captures to check. Usually is the communication to the Akamai cache that gives problem. Whitelist Akamai range from SSL inspeciton solve it for us but it is far from ideal.
    I am also seeking for root cause and a more secure solution.
    #3
    tanr
    Gold Member
    • Total Posts : 389
    • Scores: 12
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Certificate Inspection (Not Deep) Causes iOS App Store and iCloud Family Sharing to Fa 2017/11/29 07:30:19 (permalink)
    0
    In my case the problem turned out not to be certificate pinning, but instead that the FortiGate wasn't properly matching iPhone and iPad types.  Instead of matching the policy for mobile devices it was matching a more generic policy for that subnet to the wan.  The more generic policy didn't allow some of the services needed for the iOS devices.
     
    My workaround was to have the policy rule instead match to the specific devices themselves.  This wasn't too bad to do for our small group, but would be a nightmare for a large company.
     
    I tried changing back to matching the device types instead (iPhone and iPad) with 5.4.6 but still see it failing to match sometimes.  It's frustrating because I can't get it to regularly happen, otherwise I would report it as a bug.
     
    Has anybody seen this issue with 5.6.2?
    #4
    Jump to:
    © 2017 APG vNext Commercial Version 5.5