Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2649
Views
5
Helpful
2
Replies

Spark and Webproxy with HTTPS inspection

Go to solution
Alexander M Popov
Level 1
Level 1

‎01-06-2016 03:12 AM - edited ‎03-17-2019 05:46 PM

Hi all.

We have a Webproxy that does HTTPS inspection, this means that all web-traffic goes through and by the time it returns to my computer the certificates is re-issued by our proxy.

This is causing SSL negotiation to fail for Spark.

Here is from the log:

2016-01-06 10:51:02,087 ERROR [28] Certificate.CertificateValidator - SSL cert chain for original host locus-a.wbx2.com eventual host locus-a.wbx2.com does not match pinned cert

2016-01-06 10:51:02,088 ERROR [28] Api.WdmClient - error from host locus-a.wbx2.com, message The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

2016-01-06 10:51:02,088 ERROR [28] Api.ApiWrapper - CheckIfOnline failed, trying again in 60000ms.

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

The way I see it I have 2 options:

1. have our proxy by-pass all connections to ciscospark.com

     This could work but I am afraid that it would only work for Spark in browser, this is because in the log file for the client I see that it is a different address than ciscospark.com.

2. Spark must ignore the certificate issues.

Am I correct?

Any advice would be much appreciated.

-alex

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
davebro2
Level 1
Level 1

‎01-07-2016 10:37 AM

Hi Alex,

Your assessment is correct.  To be clear, what's going on is that the non-browser Spark clients have implemented certificate pinning  as a security measure to prevent a man-in-the-middle attack .

Because disabling pinning would leave us vulnerable security-wise, the recommended configuration of a proxy is not to modify HTTPS traffic to the following domains:

*.wbx2.com

identity.webex.com

idbroker.webex.com

If there is a need to inspect content, Spark is developing a governance and compliance tool that allows an enterprise customer to inspect data for policy compliance of their org.

Dave

View solution in original post

0 Helpful
2 Replies 2

Go to solution
davebro2
Level 1
Level 1

‎01-07-2016 10:37 AM

Hi Alex,

Your assessment is correct.  To be clear, what's going on is that the non-browser Spark clients have implemented certificate pinning  as a security measure to prevent a man-in-the-middle attack .

Because disabling pinning would leave us vulnerable security-wise, the recommended configuration of a proxy is not to modify HTTPS traffic to the following domains:

*.wbx2.com

identity.webex.com

idbroker.webex.com

If there is a need to inspect content, Spark is developing a governance and compliance tool that allows an enterprise customer to inspect data for policy compliance of their org.

Dave

0 Helpful

Go to solution
Alexander M Popov
Level 1
Level 1
In response to davebro2

‎02-16-2016 12:13 PM

Hey.

Getting those domains bypassed in our proxy did the trick!

Thanks

0 Helpful
Customers Also Viewed These Support Documents