View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series.

SSL Proxy and apple devices and certificate pinning

  • 1.  SSL Proxy and apple devices and certificate pinning

    Posted 01-10-2022 06:34
    Good Morning

    We have a customer that is having a lot of issues with SSL proxy. Juniper first said it was a hardware issue so we replace the tin for testing but ended up having the same issue. It looks like that issue is now resolved with disabling google safe search feature issue which took 12 months to work out with JTAC. We have another issue now with SSL proxy inspection. The customer has a lot of apple MAC's. SSL proxy seems to be working fine for web pages but not apple updates. I was hoping to use application firewall to create a vi-pass rule before hitting the SSL rule in policy to allow this traffic but I think since the traffic is encrypted with SSL the application rule wont work.  I think the issue relates to certificate pinning which apple uses to stop man in the middle attacks.
    With the SRX not allowing for DNS wildcard domains how do you handle CDN traffic that's encrypted is there a dynamic address list for APPLE CND's I can simply load? 
    Thanks Steve

    Steven Waite