Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Deftone
New Contributor

Created on ‎08-18-2013 07:04 AM

SSL inspection and AppStore

I have some problems with SSL inspection and Apple Appstore. I enabled webfiltering and also enabled SSL inspection to filter some unwanted sites. I imported SSL Proxy certificate on the ipad and mac and everything is working fine exept the App Store. When I try to connect to the App Store I get a connection Error. More people having this problem?
12896
0 Kudos
5 REPLIES 5
daveywavey
New Contributor

Created on ‎09-29-2013 01:23 PM

I am also experiencing this problem. Only with FortiOS 5.0.4
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665 (4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665 (4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
3758
0 Kudos
Bromont_FTNT
Staff
Staff

Created on ‎09-29-2013 07:12 PM

If you look at the 5.0.4 release notes you' ll see that the SSL inspection behaviour has changed... In 5.0.4 if you have " scan encrypted connection" checked then it will actually do the man-in-the-middle attack for SSL inspection.... When it comes to the iTunes/App store the application is looking for a specific certificate so loading the SSL Proxy into the trusted certificate store does not suffice... the site needs to be exempted.
3758
0 Kudos
Wayne11
Contributor

Created on ‎10-01-2013 03:54 AM

Glad to know, but how can I figure out which sites needs to be exempted? Is the only one way to wait until my users report it for each site they can' t use anymore? Where' s the difference between a normal SSL encrypted site and those? It' s hard to use the SSL inspection feature if every third page still has some troubles with it. It was much easier to block EXE files and some websites through SSL traffic in 4.x compared with 5 now
3757
0 Kudos
SMabille
Contributor

Created on ‎10-04-2013 12:04 AM

The issue with AppStore being that the sever (AppStore) does some client certificate validation. As you can' t upload your root CA for Apple to trust, you can' t have any SSL interception.
3757
0 Kudos
William_Moore
New Contributor
In response to SMabille

Created on ‎02-18-2016 02:00 PM

This is how I got it working for me when I turned on SSL and deep packet. I opened up a ticket with support and this is what the told me and it 100% worked.

"

Please create an FQDN address object for "*.apple.com" and configured it under Exempt from SSL Inspection > Addresses for your SSL deep inspection profile (deep-inspection). Please have it tested. If the issue still persists, please add the following FQDN to the exemption SSL list: * itunes.apple.com s.mzstatic.com *.appstore.com 

 

"

3757
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.