After looking more into the SSL certificate issue, I started investigating and found the problem, but we need a solution for users which have a corporate SSL certificate in the system keychain in order to performs SSL inspection. It looks like for some reason when making the connection directly from the command line without using safari, our corporate software called "Netskope" is injecting its own SSL certificate in order to do some inspection of the connection. I have a root CA for this Netskope certificate into my system keychain, but Adobe must not be using the global Mac system keychain, therefore it does not know about this certificate and therefore shows the SSL connection error. From my laptop which has Netskope installed, you can see the injected Netskope SSL certificate: # openssl s_client -connect photos.adobe.io:443 CONNECTED(00000003) depth=2 C = US, ST = California, L = Los Altos, O = netSkope Inc, OU = Cert Management, CN = caadmin.netskope.com, emailAddress = certadmin@netskope.com verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=*.adobe.io i:/C=US/ST=California/L=Sunnyvale/O=Juniper Networks/OU=cdd5ca3a4ab2f109a5090147a... 1 s:/C=US/ST=California/L=Sunnyvale/O=Juniper Networks/OU=cdd5ca3a4ab2f109a5090147a... i:/C=US/ST=California/L=Los Altos/O=netSkope Inc/OU=Cert Management/CN=caadmin.netskope.com/em... 2 s:/C=US/ST=California/L=Los Altos/O=netSkope Inc/OU=Cert Management/CN=caadmin.netskope.com/em... i:/C=US/ST=California/L=Los Altos/O=netSkope Inc/OU=Cert Management/CN=caadmin.netskope.com/em... --- From my Mac mini which does not have Netskope, it shows the correct SSL certificate. openssl s_client -connect photos.adobe.io:443CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA verify return:1 depth=0 C = US, ST = California, L = San Jose, O = Adobe Systems Incorporated, CN = adobe.io verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Jose/O=Adobe Systems Incorporated/CN=adobe.io i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- As a solution, can LR CC be enhanced to also trust other root CA in the Mac system keychain for users which require a corporate SSL forward proxy? Thanks, Christian
... View more