macOS update fails on WSS Agent despite SSL interception bypass enabled
Article ID: 411564
Updated On:
Products
Issue/Introduction
Users accessing internet via Cloud SWG using WSS Agent on macOS and Windows.
macOS users fail when trying to do a software update - the device reports the system is up to date when there is an update to apply.
An application bypass exists to workaround a similar issue but Cloud SWG admin does not want to do this.
Environment
Cloud SWG.
macOS.
WSS Agent.
UPE managed Cloud SWG tenant.
Cause
One of the Apple domains sending back a server certificate with a non matching server name. Per tenant policy, the SSL handshake was torn down.
Resolution
Make sure that ignore certificate validation errors for the gdmf.apple.com domain using the following CPL:
url.domain=gdmf.apple.com server.certificate.validate(no)
Additional Information
From the Symdiag PCAPs, we could see that one TLS session to an apple domain at the time of the problem failed as shown below:
Tracking this session on the Cloud SWG proxy logs for this session, one could see the
2465.475 ERROR SSLW 20A4E3ABB00 (8B400E64): Server certificate validation error for 'gdmf-ados.apple.com': PEXID_UNSET (reason: Untrusted SSL server certificate)
Feedback
