My challenges with TLS/SSL Inspection

Question

Hi there, 
 I am using v18 EAP2 now for a few weeks at home (best lab :D) and have some weird happenings. 
 
 1. I am using Google home speakers, which have trouble connecting/answering questions every now and then, only working after asking twice. After building an exception for all speakers it is working again. It is hard to troubleshoot, as all SSL errors were fixed and no other security features are enabled in the firewall policy rule. 
 2. I am using Threema, a secure instant messaging client on mobile phones. This one is unknown via app control, so there is no catergory and therefore no way to build an exception for it. As there are no URLs communicated for it I am not able to except anything - Fun fact: Threema is working with messaging and stuff, but sending pictures is not possible. After switching wifi off the file is send immediately. Same here: No other Security Features are enabled. In SSL/TLS log you see a connection to blobp-upload.threema.ch. I added it to my Local exception list but it is still not working. How to troubleshoot it further? 
 
 Regards Stefan

RichBaldry · Answer

One area that we are not yet where we want to be is in reporting connection failures that happen when a client does not (or can not) have the XG Firewall's re-signing CA file installed. These are currently reported as successes in the SSL/TLS log, because the failure is actually caused by the client rejecting the certificate, not by some error or problem on the firewall. We are hoping to improve this significantly, but this will most likely not come until a refresh to our EAP3 release. 
 In general, though, it is almost always going to be best to exclude IOT devices from SSL/TLS decryption completely, unless you happen to have a device that allows you to install additional CA certificates. If it cannot trust an external signing certificate, then it will never successfully accept decrypted connections - not just from XG Firewall, but from any SSL inspection product.