This weekend we are making some policy changes relating to the SSL/TLS decryption of HTTPS websites. We will be adding a toggle for SSL/TLS decryption into the Threat Protection policy for all customers.
This new setting will determine if Endpoints not in the Early Access Program (EAP) should decrypt HTTPs websites; it will be set to Off by default.
The settings in Global Settings will remain, it serves two purposes;
1. Set exclusions either by website category or by website name2. Enable / Disable HTTPs decryption for devices enrolled in the EAP, it is enabled by default
For all customers, the Global Settings page is where categories can be excluded from HTTPs decryption along with individual HTTPs exclusions. Customers not enrolled in the New Endpoint Protection Features EAP will not see the option to enable decryption for their devices
For devices in the EAP, this explains the result of policy settings:
HTTPS Decrypt in Threat Protection policy
HTTPS Decrypt in Global Settings
HTTPS Decrypt Status on the Endpoint
For devices not enrolled in the EAP, when they have been migrated to the new product architecture (see https://support.sophos.com/support/s/article/KB-000043550 for details), this explains the result of policy settings:
These changes will be applied if devices are added to or removed from the EAP. If an account is enrolled to the EAP, the changes will only affect devices once they are enrolled into the program.
Cannot manage our local Sophos Firewalls with Firefox anymore since my computer joined the EAP.
Wether I connect with FQDN or IP to XG or SG, this error appears. The firewall Webadmin sites are equipped with a commercial wildcard certificate.
Firefox is using the Windows Certificates and the Sophos Endpoint CAs are in there.
It is working with Chrome and Edge. In both I can see, the Connection is signed by the Sophos Endpoint RSA Root
Other SSL pages load fine with Firefox.
I can also load other internal SSL management websites with firefox and see the new Sophos Endpoint RSA Root Cert used there.
HI and thanks for the report. We are making some improvements to the certificate generation logic in an upcoming release that should address this issue with Firefox. The problem today starts with the fact that we regenerate our endpoint root certificates pretty regularly (usually system restarts but also a few other edge cases that also need to be addressed in that same update). That in itself isn't bad, its actually a good security practice, but in addition when we clone a website's certificate we simply copy the serial number without changing it. That actually isn't correct, and Firefox cares about that sort of thing.