Hi! I’m trying to find the best way of verifying that a domain is not being SSL inspected and I am confused by the results of my current method.
First I add the exception via a URL category, save, push changes. After I browse to the domain, e.g. https://cloud.google.com, I check the certificate presented by the URL bar. No Zscaler cert, so it’s working, right? However, when I use openssl I get different results:
openssl s_client -showcerts -connect cloud.google.com:443 CONNECTED(00000005) depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscloud.net), emailAddress = firstname.lastname@example.org verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscloud.net) (t)
Why is this happening and what are your best methods of verifying that an SSL inspection exception is working?