Sign in Subscribe
Concepts

OpenSSL and Zscaler: Getting TLS Inspection Right

Andrios Robert

1 min read

The connection failed. The terminal stared back with an OpenSSL error. Zscaler was in the middle, inspecting and terminating TLS, and everything downstream broke.

When OpenSSL meets Zscaler, the details matter. Zscaler acts as a secure proxy, performing SSL inspection by intercepting and re-signing certificates with its root CA. If OpenSSL does not trust that root CA, commands like openssl s_client -connect will throw handshake errors. Engineers see depth=0 errors, unknown issuer warnings, or failed verification codes. The fix is direct: import Zscaler’s root certificate into the local trust store.

For Linux, add the certificate to /etc/ssl/certs and run update-ca-certificates. On macOS, import it into Keychain and mark it as trusted. On Windows, place it in Trusted Root Certification Authorities. After that, both openssl CLI and libraries linked against it will validate Zscaler-attested certificates.

But Zscaler's TLS inspection changes more than trust. Because it decrypts and re-encrypts streams, packet captures won’t match the original source endpoints. OpenSSL debug output may reveal certificate subjects pointing to Zscaler gateways instead of upstream servers. This is expected. Avoid false assumptions when diagnosing network issues—verify the actual remote host via HTTP headers or application logs.

When building software that uses OpenSSL in a Zscaler-enforced network, link against a version compiled with proper CA paths. Container images need explicit certificate bundles. CI/CD pipelines fail if agents run in networks that require Zscaler trust configuration but the build environment ignores it.

Performance also matters. Zscaler can introduce slight handshake delays. Tune OpenSSL’s timeouts carefully, especially in systems with strict SLA windows. Use non-blocking sockets, and ensure your code can retry on transient TLS errors.

Secure networking is nothing without understanding the tools in play. OpenSSL and Zscaler can work together flawlessly if you configure them with precision and account for inspection layers. Get the trust chain right, read every error, and you’ll keep both security and uptime intact.

See it live in minutes at hoop.dev and simplify your secure network workflows now.