Global Protect doesn't connect in iOS 13 and macOS 10.15 due to" server certificate verification failed"
56707
Created On 10/07/20 19:55 PM - Last Modified 10/26/20 23:40 PM
Symptom
- Not able to connect the GlobalProtect App in iOS device and macOS, receiving below error messages in PanGPS log,
Sep 24 09:54:13:879712 Info (1009): Add trusted anchors (
"<cert(0x149f220c0) s: DPP-ROOT i: DPP-ROOT>"
)
Sep 24 09:54:13:890370 Debug(1021): Trust evaluation result {
TrustEvaluationDate = "2020-09-24 16:54:13 +0000";
TrustResultDetails = (
{
ValidityPeriodMaximums = 0;
},
{
}
);
TrustResultValue = 5;
}
Sep 24 09:54:13:890670 Debug(1035): Trust evaluation properties (
{
type = error;
value = "Policy requirements not met."; <<<<<<<<<<<<<<<<
}
)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:4b:e4:a3:00:01:00:00:00:20
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=local, DC=dpp, CN=DPP-ROOT
Validity
Not Before: Sep 18 05:16:05 2020 GMT
Not After : Sep 17 05:16:05 2025 GMT<<<<<<<
Sep 24 09:54:13:892918 Error( 522): Server trust evalutaion failed: 5 <<<<<<<<<<<<<<<<<
connection: 0x149f18070, type: 2, host: [vpn.xyz.com:443], original host: [vpn.xyz.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x149e20920> -[GPURLConnection session] <NSOperationQueue: 0x149e203e0>{name = 'NSOperationQueue 0x149e203e0'}
Sep 24 09:54:13:897415 Debug(5506): Show Gateway vpn.xyz.com: Server certificate verification failed<<<<<<<<<<<<<<<<<
Sep 24 09:54:13:897472 Info ( 266): Session <__NSURLSessionLocal: 0x149e20920> set to (null)
Sep 24 09:54:13:897534 Debug(3560): Login to gateway (null) vpn.xyz.com without ipv6
Sep 24 09:54:13:897567 Debug(5506): Show Gateway vpn.xyz.com: Could not connect to the GlobalProtect gateway. Please contact your IT administrator.
Sep 24 09:54:13:897589 Debug(3881): Failed to pre-login to the gateway vpn.xyz.com
Sep 24 09:54:13:897614 Info (2622): Failed to retrieve info for gateway vpn.xyz.com.
Sep 24 09:54:13:897638 Debug(1026): session cleanup.
Sep 24 09:54:13:897660 Debug(2633): tunnel to vpn.xyz.com is not created.
Sep 24 09:54:13:897684 Error(5547): NetworkDiscoverThread: failed to discover external network.
Sep 24 09:54:13:897709 Debug(6598): --Set state to Disconnected
)
Sep 24 09:54:13:890370 Debug(1021): Trust evaluation result {
TrustEvaluationDate = "2020-09-24 16:54:13 +0000";
TrustResultDetails = (
{
ValidityPeriodMaximums = 0;
},
{
}
);
TrustResultValue = 5;
}
Sep 24 09:54:13:890670 Debug(1035): Trust evaluation properties (
{
type = error;
value = "Policy requirements not met."; <<<<<<<<<<<<<<<<
}
)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:4b:e4:a3:00:01:00:00:00:20
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=local, DC=dpp, CN=DPP-ROOT
Validity
Not Before: Sep 18 05:16:05 2020 GMT
Not After : Sep 17 05:16:05 2025 GMT<<<<<<<
Sep 24 09:54:13:892918 Error( 522): Server trust evalutaion failed: 5 <<<<<<<<<<<<<<<<<
connection: 0x149f18070, type: 2, host: [vpn.xyz.com:443], original host: [vpn.xyz.com], alwaysTrust: 0
session: <__NSURLSessionLocal: 0x149e20920> -[GPURLConnection session] <NSOperationQueue: 0x149e203e0>{name = 'NSOperationQueue 0x149e203e0'}
Sep 24 09:54:13:897415 Debug(5506): Show Gateway vpn.xyz.com: Server certificate verification failed<<<<<<<<<<<<<<<<<
Sep 24 09:54:13:897472 Info ( 266): Session <__NSURLSessionLocal: 0x149e20920> set to (null)
Sep 24 09:54:13:897534 Debug(3560): Login to gateway (null) vpn.xyz.com without ipv6
Sep 24 09:54:13:897567 Debug(5506): Show Gateway vpn.xyz.com: Could not connect to the GlobalProtect gateway. Please contact your IT administrator.
Sep 24 09:54:13:897589 Debug(3881): Failed to pre-login to the gateway vpn.xyz.com
Sep 24 09:54:13:897614 Info (2622): Failed to retrieve info for gateway vpn.xyz.com.
Sep 24 09:54:13:897638 Debug(1026): session cleanup.
Sep 24 09:54:13:897660 Debug(2633): tunnel to vpn.xyz.com is not created.
Sep 24 09:54:13:897684 Error(5547): NetworkDiscoverThread: failed to discover external network.
Sep 24 09:54:13:897709 Debug(6598): --Set state to Disconnected
Environment
- Palo Alto Networks firewall
- GlobalProtect infrastructure including active Subscription for iOS devices
- iOS 13 and macOS 10.15
- SSL/TLS service profile
Cause
- This issue is caused by the use of a certificate that doesn't meet the Apple's new requirements for TLS server certificates.
Resolution
As per Apple, all TLS server certificates must comply with these new security requirements for the trust certificate in iOS 13 and macOS 10.15.
- TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
- TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
- TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of the certificate are no longer trusted.
- TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
- TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificates)
Additional Information
For additonal information regarding Apple's new SSL/TLS certificate requirements, please refer to the following documentation provided here.