Global Protect doesn't connect in iOS 13 and macOS 10.15 due to" server certificate verification failed"

44132

Created On 10/07/20 19:55 PM - Last Modified 10/26/20 23:40 PM

GlobalProtect Gateway

Certificate Management

Mobile Users

GlobalProtect

Symptom

Not able to connect the GlobalProtect App in iOS device and macOS, receiving below error messages in PanGPS log,

Sep 24 09:54:13:879712 Info (1009): Add trusted anchors (

"<cert(0x149f220c0) s: DPP-ROOT i: DPP-ROOT>"
)
Sep 24 09:54:13:890370 Debug(1021): Trust evaluation result {
TrustEvaluationDate = "2020-09-24 16:54:13 +0000";
TrustResultDetails = (
{
ValidityPeriodMaximums = 0;
},
{
}
);
TrustResultValue = 5;
}
Sep 24 09:54:13:890670 Debug(1035): Trust evaluation properties (
{
type = error;
value = "Policy requirements not met."; <<<<<<<<<<<<<<<<
}
)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:4b:e4:a3:00:01:00:00:00:20
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=local, DC=dpp, CN=DPP-ROOT
Validity
Not Before: Sep 18 05:16:05 2020 GMT
Not After : Sep 17 05:16:05 2025 GMT<<<<<<<

Sep 24 09:54:13:892918 Error( 522): Server trust evalutaion failed: 5 <<<<<<<<<<<<<<<<<
connection: 0x149f18070, type: 2, host: [vpn.xyz.com:443], original host: [vpn.xyz.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x149e20920> -[GPURLConnection session] <NSOperationQueue: 0x149e203e0>{name = 'NSOperationQueue 0x149e203e0'}

Sep 24 09:54:13:897415 Debug(5506): Show Gateway vpn.xyz.com: Server certificate verification failed<<<<<<<<<<<<<<<<<
Sep 24 09:54:13:897472 Info ( 266): Session <__NSURLSessionLocal: 0x149e20920> set to (null)
Sep 24 09:54:13:897534 Debug(3560): Login to gateway (null) vpn.xyz.com without ipv6
Sep 24 09:54:13:897567 Debug(5506): Show Gateway vpn.xyz.com: Could not connect to the GlobalProtect gateway. Please contact your IT administrator.
Sep 24 09:54:13:897589 Debug(3881): Failed to pre-login to the gateway vpn.xyz.com
Sep 24 09:54:13:897614 Info (2622): Failed to retrieve info for gateway vpn.xyz.com.
Sep 24 09:54:13:897638 Debug(1026): session cleanup.
Sep 24 09:54:13:897660 Debug(2633): tunnel to vpn.xyz.com is not created.
Sep 24 09:54:13:897684 Error(5547): NetworkDiscoverThread: failed to discover external network.
Sep 24 09:54:13:897709 Debug(6598): --Set state to Disconnected

Environment

Palo Alto Networks firewall
GlobalProtect infrastructure including active Subscription for iOS devices
iOS 13 and macOS 10.15
SSL/TLS service profile

Cause

This issue is caused by the use of a certificate that doesn't meet the Apple's new requirements for TLS server certificates.

Resolution

As per Apple, all TLS server certificates must comply with these new security requirements for the trust certificate in iOS 13 and macOS 10.15.

TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of the certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019(as indicated in the NotBefore field of the certificate) must follow their guidelines:

TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificates)

Connections to TLS servers violating these new requirements will fail and may cause network failures, app to fail, and websites to not load in safari in iOS 13 and macOS 10.15.

Additional Information