Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Humberto_AB
Explorer
Jump to solution

Harmony SASE (perimeter 81) may break some app functionality

Hi, I have reciently tried harmony sase while participation on a POC for a client, and while I was building the enviroment I noticed that git stopped working, while trobleshooting the issue I encountered the followin error message:

SSL certificate problem: self-signed certificate in certificate chain

also NPM(node package manager) gave me a similar issue while trying to run npm install

the way I solved this issues temporally is that I disable SSL verification on both git and npm, but I think that the issue is related on the generation of self signed certificates used for perimeter 81 functionality. has anyone had a similar issue? I have tried and installed certificates from checkpoint firewalls before and I didnt had this issue on the past. disabling ssl checks is not recomended  and the ssl certificate shuld be trusted, where is the perimeter 81 cert stored? is tere something  on the roadmap so this dosnt have to be manually configured on the future?

1 Solution

Accepted Solutions
rlopes
Employee
Employee
(1)
5 Replies
Humberto_AB
Explorer

after further investigation I can confirm that the problem is perimeter 81, specifically the perimeter81 secure web gateway certificate, after uninstalling this certificate and stopping perimeter 81, functionality was restored as normal, is this intended? or can it be categorized as a bug?

as of now what I have tested that is affected is:

  • npm (node package manager): cant install any libraries unless ssl verification  is disabled
  • git can't clone, fetch, push, pull, or interact with a repo in any way, unless ssl verification is disabled
  • docker cant install any libraries required to build a dockerfile unless ssl verification is disabled

in my opinion disabling ssl verification is a bad security practice alternatively the certificate culd be marked as trusted by every app but I havent tried that yet.

0 Kudos
rlopes
Employee
Employee

Hi @Humberto_AB, you will likely need Bypass Rules for those:
https://support.perimeter81.com/docs/secure-web-gateway#bypass-rules

 

(1)
Iain_K
Participant

Is there any way to see the domain that was attempted to be accessed by the application (which failed) through the P81 console? Useful for quickly adding bypass rules.

JamieT
Explorer

Iain_K, I also think it would be very useful to have some logging available to identify where certificate pinning issues occur in the application.

As easy as the fix is, it can be an onerous task to identify the URLs which are causing issues, especially when they're called by background processes.

cryptochrome
Collaborator

What you are seeing is a common issue that everybody and every product faces that inspects SSL/TLS connections. While it works for most sites and apps, some of them use certificate pinning. The app will only accept a specific certificate, and when not present, refuse to connect. 

To circumvent this, as others have already pointed out, those destinations need to be excempt from SSL inspection by adding them to a bypass rule. 

 

Upcoming Events

    CheckMates Events