search cancel

Unable to upload MacOS logs to Apple Support with WSS Agent active

book

Article ID: 254252

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The MacOS team are unable to upload logs to Apple support.

Users can login to Apple site, select file to upload but get an upload status failed almost immediately.

No clear error message indicating why upload has failed - just that it failed.

Has been working previously and no changes made to host.

WSS Agent 8.1.1 running on the macOS host.

 

Environment

MacOS 12.6

WSS Agent 8.1.1

Cause

Possible issue with HTTP headers injected by WSS.

Resolution

Added SSL interception bypass for gnv.apple.com.

This avoided any inspection by proxy which could add HTTP headers or apply policies that could have triggered this.

Assuming that backend changes were performed on Apple side that triggered this issue.

Additional Information

Grabbed Symdiag and HAR file from workstation when the issue appears.

The HAR file is very useful in terms of events triggered during upload. The user tried to upload a file dummy2.txt … this is done through a CORS enabled webapp as we can see REST calls being made. It is these REST calls that are not working normally. From screenshot below

- Packet 99 is the initial upload of the file
- Packet 100 and 101 are repeated over and over again
   - 100 is a POST request that includes the filename, which fails to get a response – this is key. The "x-geneva-server-error" response header reports "Invalid pre-flight call. Access-Control-Request-Method required". We know from the request that the access-control-request-method included the POST method!
   - 101 looks like a CORS pre-flight request that fails to get any response back
- Packet 108 is the eventual upload error after multiple CORS pre-flight requests fail.

The PCAPs from Symdiag clearly shows the connection to gnv.apple.com was created and data was exchanged in both directions. We could also see that it was SSL inspected, thereby adding potential headers that could impact this or maybe dropping requests per policy.

 

Attachments