Hot!SSL Inspection error _ Mobile Devices

Author
sanu
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/06/19 17:54:22
  • Status: offline
2017/11/23 15:19:27 (permalink)
0

SSL Inspection error _ Mobile Devices

Dear Friends,
 
I need your kind attention on a small problem and need your valuable suggestions.
 
I have enabled SSL inspection in my Fortigate policy which leads me to an certificate error in the Browser which i overcome by installing a Fortigate Certificate in the computer Browser like Mozilla / Chrome / IE/ etc , but what will i do with the Mobile devices like Android /Iphones where i have no option to manually install the Certificate.
 
Please do revert ASAP ... TqVM
 
 
Regards,
SANU
#1

12 Replies Related Threads

    packetpusher
    Silver Member
    • Total Posts : 85
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/18 08:44:14
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/24 02:24:52 (permalink)
    0
    Great question! I've been thinking how to address that same issue by utilizing MDM. So far I haven't found a cost effective way to materialize my goal.
    #2
    packetpusher
    Silver Member
    • Total Posts : 85
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/18 08:44:14
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/25 02:42:12 (permalink)
    0
    Actually, there is an option to manually install certificates on mobile device, i.e. check the following example regarding Android OS.
    ref. https://cheapsslsecurity.com/blog/install-ssl-certificate-on-android/
     
    For Apple devices (this is just an example), ref. https://documentation.meraki.com/SM/Device_Enrollment/Renewing_an_Apple_MDM_Push_Certificate
    #3
    emnoc
    Expert Member
    • Total Posts : 4404
    • Scores: 249
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/25 22:59:54 (permalink)
    0
    Yes you can manage CA trust-store on most  mobile devices.
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #4
    SecurityPlus
    Gold Member
    • Total Posts : 125
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/08/11 18:41:34
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/26 07:13:23 (permalink)
    0
    Do Apple and Android mobile devices respect commercially signed certificates as desktop and laptop browsers do?
    #5
    packetpusher
    Silver Member
    • Total Posts : 85
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/07/18 08:44:14
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/26 07:56:27 (permalink)
    0
    In addition, how to install SSL cert onto Smart TV?
    #6
    emnoc
    Expert Member
    • Total Posts : 4404
    • Scores: 249
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/26 11:39:45 (permalink)
    0

    Do Apple and Android mobile devices respect commercially signed certificates as desktop and laptop browsers do?

     
    yes the  cert-storeholds any certifcate  for rootCAs  ( self signed, commercial, pre-canned factory, etc....)
     
    Ken
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #7
    SecurityPlus
    Gold Member
    • Total Posts : 125
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/08/11 18:41:34
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/27 22:52:24 (permalink)
    0
    If the firewall has a commercial certificate (instead of default FortiGate or self signed certificate) does this eliminate the need to install the certificate in the mobile browser?
    #8
    emnoc
    Expert Member
    • Total Posts : 4404
    • Scores: 249
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/28 19:17:33 (permalink)
    0
    Depends but if the CA intermediates are installed in that mobile-device and trust than yes this would work. Keep in mind like  9k CA exist  but only 200/1K are installed in any  give OSes/devices  CTLs. Keep in mind the  SSL inspection  is not a end-server certificate.
     
    So if it's a well know CA than  you should be  good. I hope that helps.
     
    post edited by emnoc - 2017/11/28 19:22:18

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #9
    SecurityPlus
    Gold Member
    • Total Posts : 125
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/08/11 18:41:34
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/28 23:14:52 (permalink)
    0
    Thanks
    #10
    emnoc
    Expert Member
    • Total Posts : 4404
    • Scores: 249
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/11/29 10:06:57 (permalink)
    0
    Keep this in mind if you  go with a commercial certificate for the MiTM ssl-inspection, requires more effort on the end-users to acquire this certificate.
     
    If your think about it, your acting  like CAintermediate and dynamic resigning or "forging" ca-chain and issuer. So most CAs require more from you when they issue you a  Certificate sign off the intermediate-chain.  It's not like you  can goto  godaddy or comodo and ask give me my own-rootintermediate  certificate cause I want to do SSL-decryption ;)
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #11
    SecurityPlus
    Gold Member
    • Total Posts : 125
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/08/11 18:41:34
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/12/01 13:56:25 (permalink)
    0
    When you say more effort for the end-users, are you referring to the every 12, 24, 36, etc. month renewal of the certificate. Would like to do deep packet inspection without having the user get a certificate warning and without having to add certificated to every user machine individually. Not all organizations are using Active Directory so this is not often an option.
    #12
    emnoc
    Expert Member
    • Total Posts : 4404
    • Scores: 249
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: SSL Inspection error _ Mobile Devices 2017/12/01 17:54:15 (permalink)
    0
    No, I need to clarify. To obtain CA signed certificate requires you to do more work from a ORG standpoint. You have to sign more paper, provide this and that ,and so on...... from most certificate issuers, but once done it's done.
     
    Outside of that it a breeze. I would still do a POC using a internal-local CA authority  that you  control  before applying for a cert from a well known issuer, imho.
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #13
    Jump to:
    © 2017 APG vNext Commercial Version 5.5