Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.

Thread Info
  • State Suggested Answer
  • +6 person also asked this people also asked this
  • Replies 30 replies
  • Answers 1 answer
  • Subscribers 17 subscribers
  • Views 7280 views
  • Users 0 members are here
Options
Suggested

SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when using Decrypt HTTPS websites using SSL/TLS in EAP using Firefox

Lee Paton

I am seeing this error intermittently when browsing in Firefox on a device with SSL/TLS decryption of HTTPS websites enabled. I have the ImportEnterpriseRoots setting enabled in Firefox to import the Sophos root CA. Browsing will work for a period of time and I can see looking at the certificate chain that the root CA is a Sophos one so HTTPS Interception is working. However, after period of time (usually a few hours) any sites I browse to will generate the following error SEC_ERROR_REUSED_ISSUER_AND_SERIAL. If I close and reopen all browser windows, I am able to successfully browse to the same sites again.

Googling this error points to articles that mention that deleting the certificates or CAs that cause the issue but this is not sustainable when we look to roll this out to 500 users. https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate

Looking at the certificate authority in Windows for the Sophos Endpoint, it looks to be generated today. Is it a case that the certificate is not a static certificate but is one that changes regularly and could this be causing this issue?

  • 0

    Is this only happening to your own domains, and do you happen to use a wildcard certificate? I have yet to check if I have the Enterprise Root Firefox GPO enabled, but this issue began happening to us yesterday on the two machines we currently have in the EAP. We needed to exempt our domain, as our subdomains for various services all use a wildcard certificate. However, the exemptions for IP addresses do not currently seem to work.

  • 0

    I've been seeing this as well for the last week I've had decryption enabled on my main work laptop.

    Sure enough there are regular "registering root certificate" events in the log file:  C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log:

    2022-02-17T12:22:16.918Z [ 7256: 5928] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-17 2020 00:00:00Z NotAfter=2027-02-17 2027 00:00:00Z>>

2022-02-16T17:24:41.492Z [ 1412: 8360] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-16 2020 00:00:00Z NotAfter=2027-02-16 2027 00:00:00Z>>

2022-02-15T17:29:15.221Z [ 1304: 1300] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-15 2020 00:00:00Z NotAfter=2027-02-15 2027 00:00:00Z>>

2022-02-15T00:25:50.065Z [ 4444: 4996] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-15 2020 00:00:00Z NotAfter=2027-02-15 2027 00:00:00Z>>

2022-02-13T23:48:41.822Z [ 8580: 8584] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-13 2020 00:00:00Z NotAfter=2027-02-13 2027 00:00:00Z>>

2022-02-13T21:20:58.102Z [ 7504: 1252] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-13 2020 00:00:00Z NotAfter=2027-02-13 2027 00:00:00Z>>

2022-02-12T20:19:40.728Z [ 8948: 8952] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>

2022-02-12T20:14:48.035Z [10208:10236] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>

2022-02-12T19:43:12.389Z [ 9336: 9340] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>

2022-02-12T19:00:54.552Z [ 9872: 9876] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>

    One interesting thing I noticed from your post is the local root certificate is valid from 2 years in the past.

    Note: This issue usually clears up after about a minute without closing any tabs or windows.

  • 0 in reply to Travis_Dadmin

    This doesn't just occur on our own domains but also in general web browsing and only in Firefox so I can't limit this to domains that I can exclude.

  • 0 in reply to stoomart

    I wasn't aware of that log file and just checked mine and I can see three entries this afternoon where a new root certificate is generated.

    2022-02-24T12:02:09.200Z [10968:10972] I Registering root certificate for RSA: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint RSA Root, O=Sophos Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=fe 31 02 33 33 11 63 07 2a 42 bf a9 b2 6b e5 47 11 32 2f de NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
2022-02-24T12:02:09.201Z [10968:10972] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
2022-02-24T12:02:09.208Z [10968:10972] I Registering root certificate for EC: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=45 0b 91 c0 21 5d 00 50 c9 8b 33 d7 60 51 74 3b 21 c7 32 38 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
2022-02-24T12:02:09.209Z [10968:10972] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
2022-02-24T12:08:09.974Z [10796:10800] I Registering root certificate for RSA: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint RSA Root, O=Sophos Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=48 77 d2 8c b8 90 30 e0 3a 35 95 5a 29 4a 95 04 59 a2 dd 25 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
2022-02-24T12:08:09.975Z [10796:10800] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
2022-02-24T12:08:09.980Z [10796:10800] I Registering root certificate for EC: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=6d b7 4c b7 03 07 bd e3 2d 25 a8 94 e5 1c b6 df 92 72 e1 00 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
2022-02-24T12:08:09.981Z [10796:10800] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
2022-02-24T14:06:46.559Z [ 6564:10728] I Registering root certificate for RSA: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint RSA Root, O=Sophos Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=ba 9e 89 ad 78 62 66 46 ce 43 5c 46 89 e4 ac 81 9a cb 5c c8 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
2022-02-24T14:06:46.561Z [ 6564:10728] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
2022-02-24T14:06:46.567Z [ 6564:10728] I Registering root certificate for EC: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=c7 20 b4 78 dc d0 3f 51 23 fe e7 30 d6 0b 5b cd 4e f9 10 62 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
2022-02-24T14:06:46.567Z [ 6564:10728] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)

    I'm also seeing lots of the following errors. Not sure if they're related to the issue I'm having.

    2022-02-24T15:33:06.361Z [ 6564: 7444] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=00000191B0647950
2022-02-24T15:33:06.365Z [ 6564: 7444] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
2022-02-24T15:33:06.368Z [ 6564: 7444] E Unrecoverable SSL error in input() flowId=20115 side=0 size=24 offset=0
2022-02-24T15:33:06.371Z [ 6564: 9328] E Connection closed before handshake completed

    I'm seeing 2730 instances of the SSL_do_handshake returned SSL error= 1 reason=1042 error in my log file that goes back just short of four hours.

    I hadn't spotted the year on the cert being 2 years old, I saw the same date and presumed it was created that day. My also also does seem to clear itself up if I leave it a period of time but I haven't been able to pin down what causes the issue to start in the first place and happens to fix the issue. today for example, I have had this issue more than usual, maybe 5 times it's happened whereas usually, it will happen once maybe twice a day.

  • 0 in reply to Lee Paton

    I'm also seeing a fair number of the "reason=1042" errors, which are always accompanied by the other three errors you listed.

    While I believe the issue is related to the root cert cycling regularly, the actual failure events seem to coincide with the "[certgen] cloned certificate", which would need to be re-cloned whenever the root cert is cycled.

    Virustotal has been the most common offender for me since I access it regularly, here's the full event stack of its' failure on my first attempt connecting today:

    2022-02-24T16:32:16.961Z [ 8404: 8624] I [webengine] New connection 0x1c529c43a10
2022-02-24T16:32:16.998Z [ 8404:12308] I [check-ip] connection:0x1c529c43a10 ip:74.125.34.46 flowId:9207 decision:continue
2022-02-24T16:32:17.176Z [ 8404:12308] I [clienthello] connection:0x1c529c43a10 sni:www.virustotal.com flowId:9207 decision:decrypt
2022-02-24T16:32:17.218Z [ 8404:12308] I [serverhello] connection:0x1c529c43a10 sni:www.virustotal.com flowId:9207 decision:allowed
2022-02-24T16:32:17.235Z [ 8404: 8624] I [revocationcheck] certificate C=ES, L=Malaga, O=VirusTotal SL, CN=*.virustotal.com offline-status:accepted
2022-02-24T16:32:17.238Z [ 8404: 8624] I [certgen] cloned certificate <<Certificate Serial=9f 21 40 41 44 e3 72 57 fe 40 b6 8c 37 d3 30 0e Subject=C=ES, L=Malaga, O=VirusTotal SL, CN=*.virustotal.com Issuer=C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 Fingerprint=cd b4 23 0b 19 ab 80 ef 92 90 2b 64 45 34 f5 f9 b1 ed b4 5b NotBefore=2022-01-17 2022 00:00:00Z NotAfter=2023-01-18 2023 23:59:59Z altnames=virustotal.com,*.virustotal.com>> as <<Certificate Serial=97 59 46 20 65 aa fd d8 79 b7 7c ee 99 9c 4f 99 5d 7f 13 81 Subject=C=ES, L=Malaga, O=VirusTotal SL, CN=*.virustotal.com Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=e4 14 01 48 2a 0e b9 2a 6e 88 92 7c d2 1a 3e 8b e5 bf 62 c5 NotBefore=2022-01-17 2022 00:00:00Z NotAfter=2023-01-18 2023 23:59:59Z altnames=virustotal.com,*.virustotal.com>>
2022-02-24T16:32:17.242Z [ 8404: 8624] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=000001C52A4398E0
2022-02-24T16:32:17.245Z [ 8404: 8624] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
2022-02-24T16:32:17.248Z [ 8404: 8624] E Unrecoverable SSL error in input() flowId=9207 side=0 size=24 offset=0
2022-02-24T16:32:17.250Z [ 8404: 8616] E Connection closed before handshake completed
2022-02-24T16:32:17.253Z [ 8404: 8616] I [webengine] Closing connection 0x1c529c43a10 for 'www.virustotal.com': request=517b, response=3427b, lifetime=291ms, firstResponse=253ms, businessLogicDelay=0ms, timeInCache=26ms, in=279ms, out=279ms, l.eos=288ms
2022-02-24T16:32:17.971Z [ 8404: 8624] I [webengine] New connection 0x1c529b36140
2022-02-24T16:32:17.973Z [ 8404:12308] I [check-ip] connection:0x1c529b36140 ip:74.125.34.46 flowId:9235 decision:continue
2022-02-24T16:32:17.975Z [ 8404:12308] I [clienthello] connection:0x1c529b36140 sni:www.virustotal.com flowId:9235 decision:decrypt
2022-02-24T16:32:18.016Z [ 8404: 8624] I [revocationcheck] certificate C=ES, L=Malaga, O=VirusTotal SL, CN=*.virustotal.com offline-status:accepted
2022-02-24T16:32:18.016Z [ 8404:12308] I [serverhello] connection:0x1c529b36140 sni:www.virustotal.com flowId:9235 decision:allowed
2022-02-24T16:32:18.019Z [ 8404: 8624] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=000001C52A4380D0
2022-02-24T16:32:18.021Z [ 8404: 8624] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
2022-02-24T16:32:18.023Z [ 8404: 8624] E Unrecoverable SSL error in input() flowId=9235 side=0 size=24 offset=0
2022-02-24T16:32:18.025Z [ 8404: 8616] E Connection closed before handshake completed
2022-02-24T16:32:18.027Z [ 8404: 8616] I [webengine] Closing connection 0x1c529b36140 for 'www.virustotal.com': request=517b, response=3427b, lifetime=55ms, firstResponse=43ms, businessLogicDelay=0ms, timeInCache=4ms, in=46ms, out=46ms, l.eos=53ms

  • 0 in reply to stoomart

    seeing this today for internal self signed cert pages, which were working last week. only with firefox.

    But I think we can save our time and stop writing our beta testing results in the EAP forums. For me it's clear, they're abandoned. It's been a while since I saw someone from Sophos answering here.

  • 0 in reply to Lee Paton

    Looking into the internal investigations taking place surrounding this issue, a fix has been found that will be released in the next major update. At this time the release may still be a couple of months out.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    can you please improve this behaviour soon?

    We (you?) know, this happens, when IPS received updates on the endpoint, while firefox is open.

    It's just incomplete coding, if you are not able to display a message in the broswser like, "Please restart your internet browser to apply Sophos Security updates"

    Instead users only see irritating error "SEC_ERROR_REUSED_ISSUER_AND_SERIAL"

  • 0 in reply to Qoosh

    Any update on when this fix will be released?

Unfiltered HTML