This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with IOS 13 & MAC OS 10.15 SSL Certificate Requirements for Transparent proxy

Hi All,

Apple have changed the validity requirments of certificates as detailed here:

https://support.apple.com/en-gb/HT210176

This has caused the transparent proxy on the UTM 9 to error on devices updated to IOS 13. Is there a way to configure or modify the man-in-the-middle certificate/template that is used by the UTM for automatically generated certificates to bring it into line with this new requirment?

From the quick checks I have done, it looks as though the issues are due to UTM issuing man-in-the-middle certs that are valid for 3 years, have a 1024 bit public keysize and do not have ExtendedKeyusage extension set to TLS Web Server Authentication.

Excerpt from the above article:

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

If anyone could point me to the location of the certificate template or mechanism of MIM certificate generation I would greatly appreciate it.

Edit: I have found a similar issue described in the XG forum. https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/115171/ssl_scanning_certificate-not-accepted-under-ios-13

Many thanks,

Rax



This thread was automatically locked due to age.
Parents Reply
  • Hi,

    I agree: creating an external CA certificate is not the solution since it has to work out of the box! We recently upgraded our firewall (exact for that reason, iOS devices can't access the internet) and have the same issue with hundreds of devices.

    Our goal was to solve this problem, not to manually create another certificate.

Children