User accessing internet sites via WSS without issues using WSS Agents.
A group of developer need to package and download some dependent installation packages through the maven repository for coding.
When downloading certain packages, they get an error message that "transfer failed for http://maven.aliyun.com" as shown below:
Disabling the WSS Agent allows everything to complete successfully.
Apache Maven web development tool.
Certificate pinning problem with client application.
Added SSL bypass for maven multiple domains to allow upload to complete with WSS Agent enabled hosts.
We started with the obvious domain reported in the message (maven.aliyun.com) but the issue remained. After gathering data with Symdiag, we found another domain that the client failed to SSL handshake with successfully and adding domain archiva-maven-storage-prod.oss-cn-beijing.aliyuncs.com to SSL inspection bypass list allowed the download to succeed.
SYmdiag is a key tool for certificate pinning issues, in that it can capture the in-tunnel PCAP that contains all the web sessions from the WSS Agent. After capturing the Symdiag data when the issue was replicated, Symdiag viewer can view the contents of the debug files. If we navigate to the Viewer section and browse to access the WssaInTunnelTrace.pcap file, we will be able to view all TCP traffic into WSS when the issue happens.
With certificate pinning issues, we typically look out for failed SSL handshakes. In the above case the PCAP showed the following Fatal SSL error for one of the maven domains. This allowed is to determine which domains to add to the SSL inspection bypass list to avoid the issue.