This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS MAIL app HTTPS decryption exception

Hello Everyone,

From my experience so far, it looks like most of iOS apps whether 3rd party or not simply don't work with SSL decryption enabled. At least Safari accepts the HTTPS signing CA.

My latest challenge is finding what I need to exempt to get iOS Mail default app to work again. Below is what appeared in web filtering log at the time I attempted to check mail when SSL decryption is disabled. I tried created exceptions for all of these but it still isn't working with SSL decryption enabled. Any ideas for those who have encountered this before?

No Decryption

2015:10:03-17:36:22 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.12" dstip="184.51.0.41" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6463" request="0xe8e3000" url="init-p01st.push.apple.com/.../x-apple-plist"

2015:10:03-17:36:23 *** httpproxy[14760]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.12" dstip="" user="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2507" request="0xa00f000" url="courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="199191" cattime="41715" avscantime="0" fullreqtime="472953" device="0" auth="0" ua="" exceptions="av,ssl"
2015:10:03-17:36:26 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.151.236.37" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5319" request="0xb073000" url="p18-keyvalueservice.icloud.com/" referer="" error="" authtime="0" dnstime="8" cattime="297" avscantime="0" fullreqtime="422287" device="0" auth="0" ua="" exceptions="" category="170" reputation="trusted" categoryname="Personal Network Storage"
2015:10:03-17:36:28 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.151.236.37" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5319" request="0xca42800" url="p18-keyvalueservice.icloud.com/" referer="" error="" authtime="0" dnstime="7" cattime="360" avscantime="0" fullreqtime="281168" device="0" auth="0" ua="" exceptions="" category="170" reputation="trusted" categoryname="Personal Network Storage"
2015:10:03-17:36:51 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.173.254.14" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5538" request="0xc9c9000" url="service.gc.apple.com/" referer="" error="" authtime="0" dnstime="26569" cattime="30587" avscantime="0" fullreqtime="31208286" device="0" auth="0" ua="" exceptions="av,ssl"
2015:10:03-17:36:52 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.173.254.14" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2371" request="0xe71eb800" url="service.gc.apple.com/" referer="" error="" authtime="0" dnstime="7" cattime="317" avscantime="0" fullreqtime="31667619" device="0" auth="0" ua="" exceptions="av,ssl"
2015:10:03-17:37:06 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.151.236.37" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6544" request="0xd15d800" url="p18-keyvalueservice.icloud.com/" referer="" error="" authtime="0" dnstime="684" cattime="294" avscantime="0" fullreqtime="251610" device="0" auth="0" ua="" exceptions="" category="170" reputation="trusted" categoryname="Personal Network Storage"
2015:10:03-17:37:40 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.151.230.4" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4014" request="0xd51a800" url="guzzoni.apple.com/" referer="" error="" authtime="0" dnstime="8" cattime="323" avscantime="0" fullreqtime="245651" device="0" auth="0" ua="" exceptions="av,ssl"
2015:10:03-17:37:45 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.151.230.4" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="6835" request="0xa206800" url="guzzoni.apple.com/" referer="" error="" authtime="0" dnstime="63755" cattime="304" avscantime="0" fullreqtime="5251182" device="0" auth="0" ua="" exceptions="av,ssl"
2015:10:03-17:37:50 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.12" dstip="17.151.230.4" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo (No Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4014" request="0xa1b3000" url="guzzoni.apple.com/" referer="" error="" authtime="0" dnstime="8" cattime="290" avscantime="0" fullreqtime="679647" device="0" auth="0" ua="" exceptions="av,ssl"



With Decryption enabled:

2015:10:03-20:41:27 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.28.104" dstip="17.151.230.4" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4137" request="0xa379800" url="guzzoni.apple.com/" referer="" error="" authtime="0" dnstime="25943" cattime="288" avscantime="0" fullreqtime="5383013" device="0" auth="0" ua="" exceptions="av,ssl"

2015:10:03-20:41:29 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.28.104" dstip="17.151.227.29" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5322" request="0xe2158800" url="p16-keyvalueservice.icloud.com/" referer="" error="" authtime="0" dnstime="43674" cattime="300" avscantime="0" fullreqtime="268354" device="0" auth="0" ua="" exceptions="ssl" category="170" reputation="trusted" categoryname="Personal Network Storage"
2015:10:03-20:41:39 *** httpproxy[14760]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="172.16.28.104" dstip="" user="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaInterNetwo2 (Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2507" request="0xce19800" url="courier.push.apple.com/" referer="" error="Host not found" authtime="0" dnstime="48937" cattime="290" avscantime="0" fullreqtime="307143" device="0" auth="0" ua="" exceptions="av,ssl"
2015:10:03-20:41:42 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.28.104" dstip="17.151.227.29" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5321" request="0xc7bb800" url="p16-keyvalueservice.icloud.com/" referer="" error="" authtime="0" dnstime="7" cattime="26218" avscantime="0" fullreqtime="188056" device="0" auth="0" ua="" exceptions="ssl" category="170" reputation="trusted" categoryname="Personal Network Storage"
2015:10:03-20:41:45 *** httpproxy[14760]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.16.28.104" dstip="17.151.227.80" user="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Decrypt Filter)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4174" request="0xc933800" url="p16-mailws.icloud.com/" referer="" error="" authtime="0" dnstime="7" cattime="364" avscantime="0" fullreqtime="149042" device="0" auth="0" ua="" exceptions="ssl" category="170" reputation="trusted" categoryname="Personal Network Storage"

thank you!


This thread was automatically locked due to age.
Parents
  • Hi Adderol. Thanks for the quick reply. I have gmail and yahoo mail domains within IOS mail app.

    Sophos also replied on my inquiry on this. They had a good suggestion that I could run tcpdump off the UTM to capture the traffic for the ios devices to see what may be occurring since it wasn't immediately clear. 

    They also suggested that I could use "decrypt and scan the following" from web protection > web profiles  or web filtering > HTTPS to only scan categories of interest. I originally liked the idea of scanning all traffic but this seems to be unrealistic based on what I am now learning (new at this). I'm using "decrypt and scan the following" and so far I am getting by with the compromises [:)]

    Thanks again for your help!
Reply
  • Hi Adderol. Thanks for the quick reply. I have gmail and yahoo mail domains within IOS mail app.

    Sophos also replied on my inquiry on this. They had a good suggestion that I could run tcpdump off the UTM to capture the traffic for the ios devices to see what may be occurring since it wasn't immediately clear. 

    They also suggested that I could use "decrypt and scan the following" from web protection > web profiles  or web filtering > HTTPS to only scan categories of interest. I originally liked the idea of scanning all traffic but this seems to be unrealistic based on what I am now learning (new at this). I'm using "decrypt and scan the following" and so far I am getting by with the compromises [:)]

    Thanks again for your help!
Children
No Data