"SSL connect error" during application installation if WSS Agent is active
Article ID: 253532
Updated On:
Products
Issue/Introduction
Screencast-O-Matic software cannot be installed with WSS Agent active. On the WebLaunchRecorder.exe execution, the installer tries to download the content and the following error appears:
The software installs correctly when WSS Agent is disabled
Environment
Cloud Secure Web Gateway (Cloud SWG) - formerly Web Security Service
Cause
Application has certificate pinning enabled, where it expects the SSL certificate from the SSL handshake to be that of the origin server, and not the WSS intercepted one.
Installer connects to screencast-o-matic.com domain to download further content. It requires original SSL certificate in order to proceed. When the "SSL connect error" appears it means that the domain doesn't trust the WSS certificate which is intercepting the connection.
This can be seen in the packet capture when logging in-tunnel traffic of WSS Agent - Broadcom's certificate generates warning:
Resolution
Domain screencast-o-matic.com needs to be bypassed from SSL interception:
1. If policies are managed in WSS Portal:
Add the following rule into "Policy > TLS/SSL Interception" and Activate the Policy:
2. If policies are managed via Management Center (UPE):
Add the following code into CPL layer:
#if enforcement=wss
<ssl-intercept>
url.domain=screencast-o-matic.com ssl.forward_proxy(no)
#endif
Feedback
