Skip to main content
DJninjaNZ
DJninjaNZ
Explorer
November 15, 2022
Solved

SSL Anomalies

  • November 15, 2022
  • 2 replies
  • 11488 views

Is it blocked or exempt? Exempt comes first then we get the ssl-anomalies

 

We are seeing new behavior in 6.4.9, for windows updates this was resolved by importing the CA. But for push.apple.com this was not resolved by importing Apple Public EV Server RSA CA 2 - G1.crt

 

2022-11-16 08_40_11-Window.png

Best answer by Cajuntank

No, I just have *.apple.com as one of the addresses in my Exempt from SSL Inspection list and that SSL security profile is tied to my normal user data policies...not doing anything special to specifically focus on the Apple network in it's own policy. I did not inquire about your certificate deployment, so not sure if you are using the built-in cert or if you did your own intermediate signed cert from your internal CA (this is how I do it). If you use Safari as your browser, it's not enough anymore to just deploy and trust the root...you also have to deploy and trust the intermediate as well. I will say that I was running 6.4.8 until recently and just updated to 7.0.8, and have run into other sites we deal with that have given me similar reporting responses like you are showing that did not need to be decrypted and have added to the exemption list with success.

2 replies

Cajuntank
Cajuntank
Esteemed Contributor III
November 16, 2022

Apple typically does not like to be SSL decrypted for the most part, so we have apple.com as one of our exclusions in our deep packet inspection profile. https://support.apple.com/en-us/HT210060 - "Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy."

DJninjaNZ
DJninjaNZAuthor
Explorer
November 16, 2022

Thank you @Cajuntank for your reply prior to the firmware upgrade of our FortiGate fleet we have had hostnames exempted for people like apple which is the exempt message. But we still get some grief still, do you exempt with a policy above the outbound all for no cert inspection?

Cajuntank
CajuntankAnswer
Esteemed Contributor III
November 16, 2022

No, I just have *.apple.com as one of the addresses in my Exempt from SSL Inspection list and that SSL security profile is tied to my normal user data policies...not doing anything special to specifically focus on the Apple network in it's own policy. I did not inquire about your certificate deployment, so not sure if you are using the built-in cert or if you did your own intermediate signed cert from your internal CA (this is how I do it). If you use Safari as your browser, it's not enough anymore to just deploy and trust the root...you also have to deploy and trust the intermediate as well. I will say that I was running 6.4.8 until recently and just updated to 7.0.8, and have run into other sites we deal with that have given me similar reporting responses like you are showing that did not need to be decrypted and have added to the exemption list with success.

Terms & ConditionsCookie settingsAccessibility statement