topic Re: Harmony SASE (perimeter 81) may break some app functionality in SASE and Remote Access

Harmony SASE (perimeter 81) may break some app functionality

Humberto_AB — Mon, 25 Mar 2024 18:29:41 GMT

Hi, I have reciently tried harmony sase while participation on a POC for a client, and while I was building the enviroment I noticed that git stopped working, while trobleshooting the issue I encountered the followin error message:

SSL certificate problem: self-signed certificate in certificate chain

also NPM(node package manager) gave me a similar issue while trying to run npm install

the way I solved this issues temporally is that I disable SSL verification on both git and npm, but I think that the issue is related on the generation of self signed certificates used for perimeter 81 functionality. has anyone had a similar issue? I have tried and installed certificates from checkpoint firewalls before and I didnt had this issue on the past. disabling ssl checks is not recomended and the ssl certificate shuld be trusted, where is the perimeter 81 cert stored? is tere something on the roadmap so this dosnt have to be manually configured on the future?

Re: Harmony SASE (perimeter 81) may break some app functionality

Humberto_AB — Tue, 26 Mar 2024 23:37:56 GMT

after further investigation I can confirm that the problem is perimeter 81, specifically the perimeter81 secure web gateway certificate, after uninstalling this certificate and stopping perimeter 81, functionality was restored as normal, is this intended? or can it be categorized as a bug?

as of now what I have tested that is affected is:

npm (node package manager): cant install any libraries unless ssl verification is disabled
git can't clone, fetch, push, pull, or interact with a repo in any way, unless ssl verification is disabled
docker cant install any libraries required to build a dockerfile unless ssl verification is disabled

in my opinion disabling ssl verification is a bad security practice alternatively the certificate culd be marked as trusted by every app but I havent tried that yet.

Re: Harmony SASE (perimeter 81) may break some app functionality

rlopes — Thu, 28 Mar 2024 02:01:13 GMT

Hi @Humberto_AB, you will likely need Bypass Rules for those:
https://support.perimeter81.com/docs/secure-web-gateway#bypass-rules

Re: Harmony SASE (perimeter 81) may break some app functionality

cryptochrome — Fri, 19 Apr 2024 17:29:15 GMT

What you are seeing is a common issue that everybody and every product faces that inspects SSL/TLS connections. While it works for most sites and apps, some of them use certificate pinning. The app will only accept a specific certificate, and when not present, refuse to connect.

To circumvent this, as others have already pointed out, those destinations need to be excempt from SSL inspection by adding them to a bypass rule.

Re: Harmony SASE (perimeter 81) may break some app functionality

Iain_K — Wed, 19 Jun 2024 04:47:55 GMT

Is there any way to see the domain that was attempted to be accessed by the application (which failed) through the P81 console? Useful for quickly adding bypass rules.

Re: Harmony SASE (perimeter 81) may break some app functionality

JamieT — Mon, 02 Sep 2024 08:19:21 GMT

Iain_K, I also think it would be very useful to have some logging available to identify where certificate pinning issues occur in the application.

As easy as the fix is, it can be an onerous task to identify the URLs which are causing issues, especially when they're called by background processes.