Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Sep 2019
    Posts
    5

    Question Snapchat Stories ..

    I am having issues with allowing this. Maybe its an SSL inspector issue and I am going to simply have to give up trying to allow this through, but I am getting the follwoing error

    0 ABANDONED Client SSL decrypt exception: Received fatal alert: certificate_unknown CERT:1515C41211BFECCE8E742F036FE5918F9845E568

    Is there a way to apply an allow that cert rather than trying to firefight the ever changing IP address its coming from. These certificates change a little less.

    I have tried to create rules in the SSL inspector under the certificate subject, Issuer and SNI Host Name, but cannot work out how to add a rule that ignores that particular certificate issue.

    Any advice gratefully received

  2. #2
    Untangler
    Join Date
    Aug 2016
    Posts
    59

    Default

    Do you have your trusted root certificate installed?

  3. #3
    Newbie
    Join Date
    Sep 2019
    Posts
    5

    Default

    On the device, yes.

    But on the SSL Inspector page, it says the Server Certificate Verification is missing from the network ip addresses (I have a couple to separate some devices)

    I have tried to reinstall the root certificate in the SSL Configuration screen and it has it listed under the trusted Certificates on the page and is valid until 2039 ..

    I have both Client and Server Connections ILSV1/1.1 & 2 checked.

    I havent checked the 'Trust All Service Certificates' box as I'm not sure how wise that would be?

    *Edited to update the facts
    Last edited by dippydolittle; 10-05-2019 at 04:22 PM.

  4. #4
    Newbie
    Join Date
    Sep 2019
    Posts
    5

    Default

    I have resolved the issue with the missing certification in the SSL inspectors, HTTP setting (I had the Untanlged Cert checked under the HTTPS in the certificates tab and no the Server Generate one. this then removed the error)

    I have checked the device and removed any certificate and reinstalled the certificate from the untangled server.

    This error is also appearing when using the eBay App too, so maybe its not a snapchat thing, maybe more an Android App issue?

    Cert Untangled.PNG
    Last edited by dippydolittle; 10-06-2019 at 04:37 AM.
    skearton likes this.

  5. #5
    Untangler
    Join Date
    Aug 2016
    Posts
    59

    Default

    Some apps have hard coded certs too, in which SSL inspector can't do its job.

  6. #6
    Newbie
    Join Date
    Sep 2019
    Posts
    5

    Default

    Quote Originally Posted by skearton View Post
    Some apps have hard coded certs too, in which SSL inspector can't do its job.
    indeed, I read up on the facebook issue people where having with the app and SSL from a few years ago, but this didnt seam to show as a symptom.

    But its does unfortunately appear to be the case and will make this feature (SSL Inspector) redundant on my home setup.

    Which kind of means that this firewall (and others will have the same issue) so not sure what to do apart from just disable the SSL inspector all together and just hope / blacklist / web-filter the traffic away from the dodgy stuff.

    Enabling SSL Inspector removes the abilty to use the app, but disabling it allows it. and although I'd love to say tough to the teenagers in the house, even using the eBay app causes this issue. So I don't have that as an option.

  7. #7
    Master Untangler
    Join Date
    Mar 2017
    Posts
    184

    Default

    Don't let yourself in the enable/disable scenario.

    I've got a rack for my wife and another for the kids. Each of it has got a sub-rack for mobile devices in which I configure the SSL inspector to ignore traffic based on Certificate Subject and SNI Host Name. This let me use the Inspector for apps that don't use certificate pinning and let them use the ones that do.

    Web Filter and Application Control step in, then, to try enforcing the overall rules.
    Happily untangling the average household: 20-25 active devices, 13 racks, each with 3 - 8 apps, OpenVPN 1 in, IPSec 1 road-warrior, TunnelVPN 3 out, IPS on. Spice it up with VLANs and mix with tons of rules.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2