# SSL Errors

**SSL inspection can sometimes cause issues and break some applications that rely on SSL encryption to function correctly. There can be different underlying reasons for breaking applications, which include certificate validation issues, hard-coded IP addresses and domains, and application-specific SSL configurations.**

Unlike other products dope.swg does not expect admins to work out what needs to be bypassed from inspection to get an application to work. At dope.security we have implemented a SSL error reporting feature. With this feature the dope.endpoint detects any application and URL that is breaking on the device. It then reports this to the dope.cloud where the admin can add the required application or URL to the bypass list with a single click.

## How does it work?

When an SSL error happens on a dope.endpoint then the endpoint will send the combination of the application and the URL affected by the error. This can then be seen as a new notification in the notification view. When there’s a new SSL error notification for an admin to view the notification will be updated to the following icon <img src="/files/grgFow1PzpopkkLGK2J4" alt="" data-size="line">.

Once the admin selects the notification icon they will get to see the notification view with the errors split into “By App” and “By Url.” This allows the admin to decide how he wants to fix the SSL problem. It is possible to bypass the entire application which means all traffic from the application would be bypassed. Or if the admin does not want to bypass the entire application they can bypass based on URL.

## By App View

Selecting the “By App” view shows a list of applications that have reported SSL errors. As well as listing the applications, it's also possible to see the URLs associated with the application’s SSL error. This visibility will help the admin decide if they should add the application or the URL(s) to the bypass list.

<figure><img src="/files/w3LfLNDJ99eI2fsRFX68" alt="" width="375"><figcaption><p>SSL Errors 'By App'</p></figcaption></figure>

{% hint style="info" %}
By hovering over the user icon it is possible to see which users have reported the issue.
{% endhint %}

### Bypassing an Application

To bypass an application, all an admin must do is select one or many applications using the checkbox.

Once an application selection is made, a button to add the application to all bypass lists will appear.

<figure><img src="/files/WNCUPDx635ZTnWxfEr7G" alt="" width="375"><figcaption><p>Bypass Application Action</p></figcaption></figure>

Selecting the “Bypass for all policies” button will add the checked application(s) to all policies in your dope.swg tenant.

Once an application is added to the Bypass list, it will no longer be seen in the notifications view unless it is removed from the Bypass list.

{% hint style="info" %}
Admins can only bypass applications from this view. They cannot bypass URLs.
{% endhint %}

## By URL View

Selecting the “By URL” view shows a list of each URL that has reported SSL errors. As well as displaying each URL, the view groups the URLs by Top Level Domain (TLD). This parent grouping allows the admin to bypass the TLD instead of each URL individually.

<figure><img src="/files/3THlytHIdb360blEV2gK" alt="" width="375"><figcaption><p>SSL Errors 'By URL'</p></figcaption></figure>

### Bypassing a URL

To bypass a TLD or an individual URL, an admin only needs to select either the TLD or the individual URL.

Once the admin makes their selection, a button to add the TLD or URL to all bypass lists will appear.

<figure><img src="/files/vzpfaG7l42VjKN55QZZI" alt="" width="375"><figcaption><p>Bypass URL Action</p></figcaption></figure>

Selecting the “Bypass for all policies” button will add the checked TLD or URL to all policies in your dope.swg tenant.

Once a URL is added to the Bypass list, it will no longer be seen in the notifications view unless it is removed from the Bypass list.

{% hint style="info" %}
Selecting the (parent) TLD will result in all its children URLs getting selected, however, only the TLD will be added to the Bypass list.
{% endhint %}

## Quick Decision Guide: App Bypass or URL Bypass?

If you are deciding how to resolve an SSL issue quickly:

* Choose **By URL** when only specific domains should bypass SSL inspection.
* Choose **By App** when the entire process/application should bypass policy inspection.

{% hint style="warning" %}
An **Allow** rule is not the same as bypass. Allowed traffic can still be inspected.\
If cert errors persist after an Allow rule, add a bypass entry instead.
{% endhint %}

{% hint style="info" %}
After adding a bypass entry, always **Save Policy** and ask users to relaunch the affected app.
{% endhint %}

{% hint style="info" %}
If an admin chooses not to act on a URL or an application, then its alert will remain in the notifications view for 14 days. After this time, they will be removed and not shown again.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://inflight.dope.security/dope.console/notifications/ssl-errors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.