Global Protect doesn't connect in iOS 13 and macOS 10.15 due to" server certificate verification failed"

Global Protect doesn't connect in iOS 13 and macOS 10.15 due to" server certificate verification failed"

7022
Created On 10/07/20 19:55 PM - Last Modified 10/26/20 23:40 PM


Symptom
  • Not able to connect the GlobalProtect App in iOS device and macOS, receiving below error messages in PanGPS log,
Sep 24 09:54:13:879712 Info (1009): Add trusted anchors (
    "<cert(0x149f220c0) s: DPP-ROOT i: DPP-ROOT>"
)
Sep 24 09:54:13:890370 Debug(1021): Trust evaluation result {
    TrustEvaluationDate = "2020-09-24 16:54:13 +0000";
    TrustResultDetails =     (
                {
            ValidityPeriodMaximums = 0;
        },
                {
        }
    );
    TrustResultValue = 5;
}
Sep 24 09:54:13:890670 Debug(1035): Trust evaluation properties (
        {
        type = error;
        value = "Policy requirements not met."; <<<<<<<<<<<<<<<<
    }
)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2f:4b:e4:a3:00:01:00:00:00:20
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=local, DC=dpp, CN=DPP-ROOT
        Validity
            Not Before: Sep 18 05:16:05 2020 GMT
            Not After : Sep 17 05:16:05 2025 GMT<<<<<<<

Sep 24 09:54:13:892918 Error( 522): Server trust evalutaion failed: 5 <<<<<<<<<<<<<<<<<
connection: 0x149f18070, type: 2, host: [vpn.xyz.com:443], original host: [vpn.xyz.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x149e20920> -[GPURLConnection session] <NSOperationQueue: 0x149e203e0>{name = 'NSOperationQueue 0x149e203e0'}

Sep 24 09:54:13:897415 Debug(5506): Show Gateway vpn.xyz.com: Server certificate verification failed<<<<<<<<<<<<<<<<<
Sep 24 09:54:13:897472 Info ( 266): Session <__NSURLSessionLocal: 0x149e20920> set to (null)
Sep 24 09:54:13:897534 Debug(3560): Login to gateway (null) vpn.xyz.com without ipv6
Sep 24 09:54:13:897567 Debug(5506): Show Gateway vpn.xyz.com: Could not connect to the GlobalProtect gateway. Please contact your IT administrator.
Sep 24 09:54:13:897589 Debug(3881): Failed to pre-login to the gateway vpn.xyz.com
Sep 24 09:54:13:897614 Info (2622): Failed to retrieve info for gateway vpn.xyz.com.
Sep 24 09:54:13:897638 Debug(1026): session cleanup.
Sep 24 09:54:13:897660 Debug(2633): tunnel to vpn.xyz.com is not created.
Sep 24 09:54:13:897684 Error(5547): NetworkDiscoverThread: failed to discover external network.
Sep 24 09:54:13:897709 Debug(6598): --Set state to Disconnected


Environment
  • Palo Alto Networks firewall
  • GlobalProtect infrastructure including active Subscription for iOS devices
  • iOS 13 and macOS 10.15
  • SSL/TLS service profile


Cause
  • This issue is caused by the use of a certificate that doesn't meet the Apple's new requirements for TLS server certificates.


Resolution
As per Apple, all TLS server certificates must comply with these new security requirements for the trust certificate in iOS 13 and macOS 10.15.
  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of the certificate are no longer trusted.
Additionally, all TLS server certificates issued after July 1, 2019(as indicated in the NotBefore field of the certificate) must follow their guidelines:
  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificates)
Connections to TLS servers violating these new requirements will fail and may cause network failures, app to fail, and websites to not load in safari in iOS 13 and macOS 10.15.


Additional Information
For additonal information regarding Apple's new SSL/TLS certificate requirements, please refer to the following documentation provided here.

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB5rCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language