Skip to main content

Since the upgrade to version 85, I started to notice it doesn't look as if cert pinned application exceptions recognize or apply tunnel exclusions any more. I'm opening a case with Support but I wanted to reach out here to see if anyone else experienced anything similar first. There is a exception for python.exe and if i use the tunnel settings it'll bypass any connections made to those domains but attempt to intercept everything else. 


 


For Example:

Python.exe > Tunnel Mode: pypi.org and Pythonhosted.org 


I'm hearing this might be related to a feature called "Enhanced Cert Pinning". Does anyone have any knowledge or documentation on this feature?


I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.


 


I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.


Hello, Have you tried the "*" for the domain and then monitoring the logs?


Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options.  As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross  and @InfoSecRich for your inputs. 

 


Please work with Support/TSM to understand the required scope of change to safely enable this feature. TSMs also have more information on this feature included in the Traffic Steering/Bypass section of the VRP.


Reply