SSL Visibility 4.x Cut Through Rules May Not Match and Get Decrypted if the Server Certificate Is Not Valid
Last Updated October 10, 2018
Cut through rules configured in SSL Visibility 4.x that use the unsupported-sites or custom Domain Name Lists may not match and end up getting decrypted resulting in an error message in the SSL Session Log.
SSL Visibility 4.x does not match cut-through rules if the X.509 certificate is invalid. In some cases the sites in the unsupported-sites list are not configured to send the full certificate chain, causing the certificate to be considered invalid due to an Incomplete Chain. This results in a mismatch on the unsupported-sites entry. One such site that Symantec is aware of is courier.push.apple.com.
To successfully cut through traffic to courier.push.apple.com do one of the following in order of preference:
1. Add the Server Certificate to the Trusted Certificate List
Download the webserver certificate from the browser
Add the webserver certificate to the all-trusted-certificates list
In the global ruleset options change the Trusted Certificates list from (Not Set) to All Trusted Certificates and apply the changes
2. Create a new External Certificate Authorities list with the intermediate and root CA's
Download the Apple intermediate and root certificates from: https://www.apple.com/certificateauthority/
Add these to the imported-external-certificates-authorities list. See the SSL Visibility Appliance Administration & Deployment Guide for details
Create a new custom external certificate list called Trusted_external_imported_list and add the external certificate authorites and the individual imported certificate authorities
In the global ruleset options change the External Certificate Authorities list from Trusted External Certificate Authorities to Trusted_external_imported_list and apply the changes
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe