Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL inspection and AppStore
I have some problems with SSL inspection and Apple Appstore.
I enabled webfiltering and also enabled SSL inspection to filter some unwanted sites.
I imported SSL Proxy certificate on the ipad and mac and everything is working fine exept the App Store. When I try to connect to the App Store I get a connection Error. More people having this problem?
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also experiencing this problem. Only with FortiOS 5.0.4
Forti OS 4.0:
FLG_100B-v400-build0705 (4.3.7)
FWF_80CM-v400-build0665 (4.3.15)
Forti OS 5.0:
FWF_90D-v500-build0228 (5.0.3)
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665
(4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you look at the 5.0.4 release notes you' ll see that the SSL inspection behaviour has changed... In 5.0.4 if you have " scan encrypted connection" checked then it will actually do the man-in-the-middle attack for SSL inspection....
When it comes to the iTunes/App store the application is looking for a specific certificate so loading the SSL Proxy into the trusted certificate store does not suffice... the site needs to be exempted.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to know, but how can I figure out which sites needs to be exempted? Is the only one way to wait until my users report it for each site they can' t use anymore? Where' s the difference between a normal SSL encrypted site and those?
It' s hard to use the SSL inspection feature if every third page still has some troubles with it.
It was much easier to block EXE files and some websites through SSL traffic in 4.x compared with 5 now

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue with AppStore being that the sever (AppStore) does some client certificate validation.
As you can' t upload your root CA for Apple to trust, you can' t have any SSL interception.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how I got it working for me when I turned on SSL and deep packet. I opened up a ticket with support and this is what the told me and it 100% worked.
"
Please create an FQDN address object for "*.apple.com" and configured it under Exempt from SSL Inspection > Addresses for your SSL deep inspection profile (deep-inspection). Please have it tested. If the issue still persists, please add the following FQDN to the exemption SSL list: * itunes.apple.com s.mzstatic.com *.appstore.com
"
