Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
i80r
Participant
Jump to solution

Inbound HTTPS inspection certificate chain

Hello everyone!

Recently stumbled upon a peculiar problem with the inbound HTTPS inspection. We host a server, inbound traffic to which is being inspected. The server can be accessed via web by regular browsers or by a mobile app designed specifically for this server application. Everything works as expected with regular browser connections. However, problem arises when the mobile app tries to connect. Strictly speaking, the problem is with the Android version of the app. Sometimes the app doesn't respond to Server's TLS Hello, other times it responds with "TLSv Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)"

I did some investigating and found out that Checkpoint's Inspection mechanism sends just the web certificate of the server in Server Hello, while the server itself sends the whole certificate chain including the CA. Otherwise Checkpoint's and servers' Hello packets are nearly identical.

Checkpoint's Server Hello:

1.png

Original Server Hello:

2.png

 

Now the question is, is it possible to enable transmission of the whole certificate chain in HTTPS Inspection and, if yes, how can it be done?

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

When setting up inbound inspection certificate, you need to take it with the whole chain, not just intermediary CA one. 

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin

When setting up inbound inspection certificate, you need to take it with the whole chain, not just intermediary CA one. 

0 Kudos
i80r
Participant

Thank you _Val_!

For those, who are interested how to convert a pfx/p12 certificate to a chain here is the solution:

https://www.computertechblog.com/create-a-pfx-file-with-a-certificate-chain/

 

HristoGrigorov

Strictly speaking you should not include CA root certificate in a chain. It is supposed to be fetched from a local trusted store. For Windows that is Trusted Root Certificate Authorities store and for CheckPoint that is Trusted CAs store.

If your software *requires* CA root certificate to be included in the chain then that is kind of not correct...

0 Kudos
i80r
Participant

The software does fetch CA from a trusted store but apparently not all of the android devices have Sectigo root certificate in it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events