Kindle for Mac app is unable to connect to Amazon using WSS or ProxySG

book

Article ID: 170224

calendar_today

Updated On:

Products

Web Security Service - WSS SG-300 SG-600 SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

Problem only occurs on macOS and does not happen for the Kindle App for Windows
Error:  Unable to connect.  Please check your network settings and proxy configuration

Error:  Unable to connect.  Please check your network settings and proxy configuration

Cause

Here is a list of problems why the Kindle App for macOS does not work through the Web Security Service (WSS) or a ProxySG appliance:

  1. The Kindle app does not honor the macOS proxy settings and tries to go direct to amazon.com.  If the router or firewall does not allow the workstation to have direct access to the Internet, then the request will fail.  This behavior was observed whether the configured proxy was a local proxy or a remote proxy (proxy.threatpulse.net:8080).
  2. If the Mac is configured with a transparent type of proxy deployment (such as using Unified Agent in Cloud mode, or an IPsec tunnel to WSS, or the ProxySG is transparent inline such as using WCCP), then when the application attempts to change cipher spec, client key exchange, encrypted handshake message, it is also sending over an RFC 5077 TLS new session ticket.  As of this writing (October 3, 2017), the most current version of SGOS is 6.7.2, the most recent version of WSS is 6.10.1.4, which does not support RFC 5077 new session tickets.  When the response comes back from the proxy without the new session ticket information, the Kindle application for Mac ACKs the packet and then FINs the connection.  This will result in an error, or not being able to sync the content.

Environment

Tested version of macOS:  10.12.6
Kindle for Mac version:  1.20.0 (47032)

Tested version of Microsoft Windows:  Windows 10 Pro, Build 15063.rs2_release.170317-1834
Kindle for Windows version:  1.20.1 (47037)

The problem can occur when using Unified Agent in Cloud mode
SSL interception is ENABLED

Resolution

WORKAROUND:

For WSS:  Add amazon.com to the SSL bypass list.  This will allow the TLS new session tickets to go through and allow the application to work.

For SGOS:  Add amazon.com to an SSL exemption.  Same reason applies as for WSS.

Note:  Since the Amazon Kindle app for Windows works, you can use that instead of the app for macOS.  Please contact Amazon and request that the Kindle app for Mac work without RFC 5077 support from upstream SSL proxies.