Kindle for Mac app is unable to connect to Amazon using WSS or ProxySG
Last Updated March 24, 2018
Problem only occurs on macOS and does not happen for the Kindle App for Windows Error: Unable to connect. Please check your network settings and proxy configuration
Tested version of macOS: 10.12.6
Kindle for Mac version: 1.20.0 (47032)
Tested version of Microsoft Windows: Windows 10 Pro, Build 15063.rs2_release.170317-1834
Kindle for Windows version: 1.20.1 (47037)
The problem can occur when using Unified Agent in Cloud mode
SSL interception is ENABLED
Error: Unable to connect. Please check your network settings and proxy configuration
Here is a list of problems why the Kindle App for macOS does not work through the Web Security Service (WSS) or a ProxySG appliance:
The Kindle app does not honor the macOS proxy settings and tries to go direct to amazon.com. If the router or firewall does not allow the workstation to have direct access to the Internet, then the request will fail. This behavior was observed whether the configured proxy was a local proxy or a remote proxy (proxy.threatpulse.net:8080).
If the Mac is configured with a transparent type of proxy deployment (such as using Unified Agent in Cloud mode, or an IPsec tunnel to WSS, or the ProxySG is transparent inline such as using WCCP), then when the application attempts to change cipher spec, client key exchange, encrypted handshake message, it is also sending over an RFC 5077 TLS new session ticket. As of this writing (October 3, 2017), the most current version of SGOS is 6.7.2, the most recent version of WSS is 184.108.40.206, which does not support RFC 5077 new session tickets. When the response comes back from the proxy without the new session ticket information, the Kindle application for Mac ACKs the packet and then FINs the connection. This will result in an error, or not being able to sync the content.
For WSS: Add amazon.com to the SSL bypass list. This will allow the TLS new session tickets to go through and allow the application to work.
For SGOS: Add amazon.com to an SSL exemption. Same reason applies as for WSS.
Note: Since the Amazon Kindle app for Windows works, you can use that instead of the app for macOS. Please contact Amazon and request that the Kindle app for Mac work without RFC 5077 support from upstream SSL proxies.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe