How to detect decrypt HTTPS web proxy certificate failures

Hi,

 

Some applications on IOS devices fail to connect to their servers if decrypt HTTPS using a web proxy is enabled (obviously the Sophos XG CA is imported and enabled). I suspect they may have implemented certificate pinning or another control which prevents the Sophos XG CA certificate from being accepted by the app.

 

Is there a way to detect in the XG logs that either the TLS handshake between app/client and XG/server or XG/client and originating web server has failed? This would help in identifying which domain the app wants to connect to, since it is not always easy to identify this in the web filter logs.

 

Note: the solution to this is to add the domain of the originating web server the app wants to connect to to the web exception list and skip the HTTPS decryption there.

 

Br,

Jan

  • Hi Jan,

    from my experience with my iPhones is I gave up, too many apps do not like being decrypted. On the iPad a similar issue, but I also think there are more ports involved, but also gave up.

    in mail I made change to the XG while testing a configuration For a thread and broke my mail scanning on the iPad and have not been able to find what broke. The CA is accepted for about an hour and then rejected.

    if you end up putting a number of exceptions then you might as well not scan the application.

    ian

  • If you are using v18 and the DPI mode, there are new logs for SSL/TLS that are clearer, as well as a new dashboard.  There is new workflow to make changes to the rules from within those.

    I do not know all the specifics of Android and IOS, but I do know that on some, manually installing a CA only gets used by some thing and not all.  However if you are using a MDM solution (mobile device management) such as the one Sophos has, for some devices it can install a more system-level CA that gets used by more.  Google/Apple really want to keep normal users away from installing CAs on their devices, but recognize that company-managed devices may need company CAs installed.