Results 1 to 7 of 7
  1. #1
    Master Untangler
    Join Date
    May 2010
    Posts
    369

    Default How to tell why SSL sessions abandoned

    I've been increasing the amount of SSL traffic I'm inspecting.

    On android phones many apps hard code the certificate in the app, thus making SSL inspection fail with an unknown certificate error, thus making the app not work.

    What is the best way to tell what specific IGNORE rule you need to put in to make some of that app traffic work correctly?

    I've guessed well on a few of them and made them work, but I assume there is a more scientific way to determine what the ignore rule should be instead of just guessing...

    Jason

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,341

    Default

    The detail column will give more details.

    Its almost always abandoned because the client abandoned the session (usually because it doesn't trust the CA)

    Just look at the reports and see which sessions are abandoned and why.
    Either add the cert to the app or device, or if the app doesn't support 3rd party CAs then just add an ignore rule.
    Repeat and look at reports again.

    To look at the cert just visit the IP in your browser and look at it to see how you should craft the rule.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler
    Join Date
    May 2010
    Posts
    369

    Default

    Yes, it is always one of two things:

    Received fatal alert: certificate_unknown
    Received fatal alert: unknown_ca


    But that doesn't really show what the IGNORE should be to bypass that traffic from SSL inspection. Is there another report field that gives the address or name that should be added to the IGNORE rule?

    In the end this may be more trouble than it is worth for phones. On my personal phone I've found >10 apps already in 15 minutes that I have to ignore traffic on.

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,341

    Default

    certificate unknown and unknown_ca are the same thing.
    Thats what the client says when it doesn't trust the CA (because its unknown)

    Yes, thats why its off by default and then when you turn it on the default setup is to only inspect certain SSL traffic.
    It depends on your goals - If you want to enforce safe search and monitor youtube then there is no reason to inspect dropbox and wellsfargo.

    https://wiki.untangle.com/index.php/HTTPS
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Master Untangler
    Join Date
    May 2010
    Posts
    369

    Default

    I have been doing partial inspection for a long time, but always wondered what I was missing by only selectively inspecting.

    So as a test/learning experience I thought I would try full inspection, and only ignore traffic as needed. I made a separate rack and just put 2 clients in it for testing.

    For desktops it seems doable, in general. Although I bet windows app store apps will have similar hard coded certificate issues.

    So many apps on phones use hard coded certificates that it looks to be a lot of admin overhead. It would be a lot easier if it was easier to make IGNORE rules in SSL inspector from the reports page... Something like an 'ignore this traffic' button.

    And then, of course, on phones they can just switch to mobile data and do whatever they want to anyway...

    Sent from my SM-G955U using Tapatalk
    Last edited by JasonJoel; 05-02-2017 at 10:14 AM.

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,341

    Default

    You're not really "missing" much.
    Unless you have a specific reason I wouldn't recommend it.

    Usually those reasons are that you run a school and you can't just block sites outright and need to block specific content within those sites. For example, its not OK to just block wikipedia, you need to be able to block specific content within wikipedia as there is a lot of suspect content on wikipedia.

    It also allows for better reporting and better virus scanning, but these benefits are minor relative to the headaches, especially considering its just an extra layer of antivirus when the client can easily scan any content as its written to disk anwyay.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Master Untangler
    Join Date
    May 2010
    Posts
    369

    Default

    That makes sense. After my playing around this week, I have to agree.

    Sent from my SM-G955U using Tapatalk

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2