Netskope Community
05-27-2021
07:57 AM
- last edited on
10-28-2021
02:01 PM
by
kh_jenn
Since the upgrade to version 85, I started to notice it doesn't look as if cert pinned application exceptions recognize or apply tunnel exclusions any more. I'm opening a case with Support but I wanted to reach out here to see if anyone else experienced anything similar first. There is a exception for python.exe and if i use the tunnel settings it'll bypass any connections made to those domains but attempt to intercept everything else.
For Example:
Python.exe > Tunnel Mode: pypi.org and Pythonhosted.org
Solved! Go to Solution.
05-27-2021 02:03 PM
I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.
I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.
05-28-2021 10:27 AM
Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options. As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross and @InfoSecRich for your inputs.
05-27-2021 09:31 AM
I'm hearing this might be related to a feature called "Enhanced Cert Pinning". Does anyone have any knowledge or documentation on this feature?
05-27-2021 02:03 PM
I believe Enhanced Cert Pinning (aka Enhanced SSL Pinned Application List feature) means that before making the decision to bypass the traffic from the specified app, the client additionally checks the domain of the traffic from the app. If the domain belongs to the same app (as per defined exception) then the bypass is allowed - otherwise it is not.
I guess this prevents a mischievous user renaming an app/process on their managed endpoint to match the app defined for bypass, and then sending traffic to some random destination.
05-28-2021 05:35 AM
Hello, Have you tried the "*" for the domain and then monitoring the logs?
05-28-2021 10:27 AM
Ok, so I have more information now. So we didn't have Enhanced Cert pinning turned on so we didn't have the option to edit custom domains that is highlighted and we still had the configuration that allowed us to do the whitelisting of domain names within the tunnel mode of advanced options. As shown in the screenshot attached. The one caveat I didn't account for is once it's enabled you have to double back and modify all of your other custom built cert pinned applications. Thank you @ross and @InfoSecRich for your inputs.
06-17-2021 02:47 PM
Please work with Support/TSM to understand the required scope of change to safely enable this feature. TSMs also have more information on this feature included in the Traffic Steering/Bypass section of the VRP.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In