This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
i80r
Participant
‎2021-07-07 05:34 AM
Jump to solution

Inbound HTTPS inspection certificate chain

Hello everyone!

Recently stumbled upon a peculiar problem with the inbound HTTPS inspection. We host a server, inbound traffic to which is being inspected. The server can be accessed via web by regular browsers or by a mobile app designed specifically for this server application. Everything works as expected with regular browser connections. However, problem arises when the mobile app tries to connect. Strictly speaking, the problem is with the Android version of the app. Sometimes the app doesn't respond to Server's TLS Hello, other times it responds with "TLSv Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)"

I did some investigating and found out that Checkpoint's Inspection mechanism sends just the web certificate of the server in Server Hello, while the server itself sends the whole certificate chain including the CA. Otherwise Checkpoint's and servers' Hello packets are nearly identical.

Checkpoint's Server Hello:

1.png

Original Server Hello:

2.png

 

Now the question is, is it possible to enable transmission of the whole certificate chain in HTTPS Inspection and, if yes, how can it be done?

Labels
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2021-07-07 06:59 AM
Jump to solution

When setting up inbound inspection certificate, you need to take it with the whole chain, not just intermediary CA one. 

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2021-07-07 06:59 AM
Jump to solution

When setting up inbound inspection certificate, you need to take it with the whole chain, not just intermediary CA one. 

0 Kudos
i80r
Participant
‎2021-07-07 10:02 PM
In response to _Val_
Jump to solution

Thank you _Val_!

For those, who are interested how to convert a pfx/p12 certificate to a chain here is the solution:

https://www.computertechblog.com/create-a-pfx-file-with-a-certificate-chain/

 

HristoGrigorov
Mentor
Mentor
‎2021-07-07 10:08 PM
In response to _Val_
Jump to solution

Strictly speaking you should not include CA root certificate in a chain. It is supposed to be fetched from a local trusted store. For Windows that is Trusted Root Certificate Authorities store and for CheckPoint that is Trusted CAs store.

If your software *requires* CA root certificate to be included in the chain then that is kind of not correct...

0 Kudos
i80r
Participant
‎2021-07-07 10:12 PM
In response to HristoGrigorov
Jump to solution

The software does fetch CA from a trusted store but apparently not all of the android devices have Sectigo root certificate in it.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events