Create a Post
Showing results for 
Search instead for 
Did you mean: 
Jump to solution

Inbound HTTPS inspection certificate chain

Hello everyone!

Recently stumbled upon a peculiar problem with the inbound HTTPS inspection. We host a server, inbound traffic to which is being inspected. The server can be accessed via web by regular browsers or by a mobile app designed specifically for this server application. Everything works as expected with regular browser connections. However, problem arises when the mobile app tries to connect. Strictly speaking, the problem is with the Android version of the app. Sometimes the app doesn't respond to Server's TLS Hello, other times it responds with "TLSv Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)"

I did some investigating and found out that Checkpoint's Inspection mechanism sends just the web certificate of the server in Server Hello, while the server itself sends the whole certificate chain including the CA. Otherwise Checkpoint's and servers' Hello packets are nearly identical.

Checkpoint's Server Hello:


Original Server Hello:



Now the question is, is it possible to enable transmission of the whole certificate chain in HTTPS Inspection and, if yes, how can it be done?

0 Kudos
4 Replies
This widget could not be displayed.