SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



SSL Proxy and apple devices and certificate pinning

  • 1.  SSL Proxy and apple devices and certificate pinning

    Posted 01-10-2022 06:34
    Good Morning

    We have a customer that is having a lot of issues with SSL proxy. Juniper first said it was a hardware issue so we replace the tin for testing but ended up having the same issue. It looks like that issue is now resolved with disabling google safe search feature issue which took 12 months to work out with JTAC. We have another issue now with SSL proxy inspection. The customer has a lot of apple MAC's. SSL proxy seems to be working fine for web pages but not apple updates. I was hoping to use application firewall to create a vi-pass rule before hitting the SSL rule in policy to allow this traffic but I think since the traffic is encrypted with SSL the application rule wont work.  I think the issue relates to certificate pinning which apple uses to stop man in the middle attacks.
    With the SRX not allowing for DNS wildcard domains how do you handle CDN traffic that's encrypted is there a dynamic address list for APPLE CND's I can simply load? 
    Thanks Steve

    ------------------------------
    Steven Waite
    ------------------------------