search cancel

"SSL connect error" during application installation if WSS Agent is active

book

Article ID: 253532

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Screencast-O-Matic software cannot be installed with WSS Agent active. On the WebLaunchRecorder.exe execution, the installer tries to download the content and the following error appears:

The software installs correctly when WSS Agent is disabled

 

Environment

Cloud Secure Web Gateway (Cloud SWG) - formerly Web Security Service

Cause

Application has certificate pinning enabled, where it expects the SSL certificate from the SSL handshake to be that of the origin server, and not the WSS intercepted one.

Installer connects to screencast-o-matic.com domain to download further content. It requires original SSL certificate in order to proceed. When the "SSL connect error" appears it means that the domain doesn't trust the WSS certificate which is intercepting the connection.

This can be seen in the packet capture when logging in-tunnel traffic of WSS Agent - Broadcom's certificate generates warning:

Resolution

Domain screencast-o-matic.com needs to be bypassed from SSL interception:
1. If policies are managed in WSS Portal:
Add the following rule into "Policy > TLS/SSL Interception" and Activate the Policy:

2. If policies are managed via Management Center (UPE):
Add the following code into CPL layer:
#if enforcement=wss
<ssl-intercept>
url.domain=screencast-o-matic.com ssl.forward_proxy(no)
#endif

Attachments