Results 1 to 8 of 8
  1. #1
    Untanglit TheDude's Avatar
    Join Date
    Dec 2017
    Location
    Missouri
    Posts
    17

    Lightbulb Google ssl whitelist / ignore rules for consumer apps

    Hello untanglers! My first post here, I have never done this with you before so please be gentle with me...

    Ok, so after beating my head against the wall and realizing I had the condition set incorrectly and everything I was testing really did not matter... I figured it out. Oh yeah, SNI Host Names also follow the Glob Matching string NOT URL matcher... So there is that too.

    I finally did some deep reading. Note the wiki has a page Rules ( wiki.untangle.com/index.php/Rules ) and Untangle Rule Syntax ( wiki.untangle.com/index.php/Untangle_Rule_Syntax ) I recommend anyone new start with just the Rules page so you know which syntax to use or else you will just waste a bunch of time.

    This may not be %100 correct list (They may not all be necessary) but it works. I am going to eliminate and refine later.

    So if you want to inspect google traffic but still allow android devices/chrome apps through you can use a rule to ignore the following list. It will still inspect google traffic on your android devices just not the following that SSL Inspector cannot decrypt. I consolidated most of the host names so it does not have to process each individual sub domain. Anyway, I am still kind of new to this so if you see something wrong or something needs added please let me know.

    To test this I just added a SSL Inspector rule like this...
    Edit Inspect Google rule and add a field for IS NOT SSL Inspector:SNI Host Name and include the list (you can copy and paste this list into the field and Untangle will auto-magically put them in a single line )

    Capture.PNG

    Here is the list I came up with thus far. It still inspects google searches etc, only omitting the required services that are hard coded and end up abandoned. I plan to do this for Apple devices as well next. First I am going to go through this list and make sure that these are all %100 necessary and remove any that are not.

    *.1e100.net,
    *.googleapis.com,
    *.googleusercontent.com,
    *.gstatic.com,
    clients*.google.com,
    lh*.ggpht.com,
    gstatic.com,
    accounts.google.com,
    accounts.google.us,
    accounts.youtube.com,
    cros-omahaproxy.appspot.com,
    dl.google.com,
    dl-ssl.google.com,
    gweb-gettingstartedguide.appspot.com,
    m.google.com,
    omahaproxy.appspot.com,
    pack.google.com,
    safebrowsing-cache.google.com,
    safebrowsing.google.com,
    tools.google.com,
    chrome.google.com,
    mtalk.google.com,
    connectivitycheck.android.com

    More to come...
    Last edited by TheDude; 01-22-2018 at 03:03 PM.

  2. #2
    Untanglit TheDude's Avatar
    Join Date
    Dec 2017
    Location
    Missouri
    Posts
    17

    Default

    OP updated with my stupidity removed. It's there if anyone cares and IT WORKS!

  3. #3
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,878

    Default

    FWIW, the 1e100.net domain is used for supporting data. In my experience, things don't talk to 1e100.net until they've first talked to some other primary domain. This means you don't really need to care about that traffic, as long as you are able to correctly categorize and then block or pass the earlier primary domain.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  4. #4
    Untanglit TheDude's Avatar
    Join Date
    Dec 2017
    Location
    Missouri
    Posts
    17

    Default

    Sure enough. Removing *.1e100.net does not cause any abandoned errors. Had the rule upside down in OP. Did this and it is good to go! Tried to change the OP so there is no bad info in it but I guess they lock after awhile.

    Capture.PNG
    Last edited by TheDude; 01-22-2018 at 08:51 PM.

  5. #5
    Untangler
    Join Date
    Dec 2015
    Posts
    48

    Default

    I would like to see your Apple list too.

  6. #6
    Untanglit TheDude's Avatar
    Join Date
    Dec 2017
    Location
    Missouri
    Posts
    17

    Default

    Quote Originally Posted by Mainia View Post
    I would like to see your Apple list too.
    Sure man! I have been having some licensing issues (2 licenses for SSL Inspector?) and they may have been messing with my inspection :/ At least that's what I hope because I have been going crazy trying to figure out why this is not consistently working properly. Thats why the OP and a follow up post had bad info in it I believe. It would work, then it wouldn't so I would try something different and it would work and then it wouldn't. It's so strange, I can disable a rule and connect an android device to the network - reenable the rule and then the rule works fine. Disconnect and reconnect the device and then the rule stops working. Anyway I have a ticket open with support and I think they will get it straightened out soon.

    Once I am certain my untangle if functioning properly I will post up the list for Apple and a refined one for Android.

  7. #7
    Master Untangler
    Join Date
    Mar 2017
    Posts
    189

    Default

    Inspired by OP, I added some vhosts that seem to be required by my Android 8 devices. Please note that these are simply pasted from the certificates:

    android.clients.google.com,
    *.appspot-preview.com,
    *.appspot.com,
    *.thinkwithgoogle.com,
    *.withgoogle.com,
    *.withyoutube.com,
    appspot-preview.com,
    appspot.com,
    thinkwithgoogle.com,
    withgoogle.com,
    withyoutube.com,
    *.googlevideo.com,
    *.a1.googlevideo.com,
    *.c.doc-0-0-sj.sj.googleusercontent.com,
    *.googlezip.net,
    *.gvt1.com,
    *.offline-maps.gvt1.com,
    *.xn--ngstr-lra8j.com,
    xn--ngstr-lra8j.com

    Without these, the Play Store will not function consistently. It is my (current) opinion, that if the first bunch of apps the Play Store app will load on the first page might contain developer supplied videos instead of screenshots only, the app will connect to the googlevideo vhosts. Same thing may happen on the updates page. That's why I saw it going through only sometimes yesterday evening. Now it seems to be stable.
    Last edited by docfuz; 01-24-2018 at 02:15 AM.

  8. #8
    Untanglit TheDude's Avatar
    Join Date
    Dec 2017
    Location
    Missouri
    Posts
    17

    Default

    Quote Originally Posted by docfuz View Post
    Inspired by OP, I added some vhosts that seem to be required by my Android 8 devices. Please note that these are simply pasted from the certificates:
    Rite on man! Good find. I got my system straightened out and everything is working like it should. Added your hosts and sure enough I missed those. I couldn't tell before what was working and what wasn't. But you are correct, videos etc were not being excluded from inspection in play store.

    Not sure if you use github or not but I have started a list there. Feel free to commit to it.
    github.com/0o0TheDude0o0/Untangle/blob/master/SSL-Inspector-Ignore-List

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2