SEC_ERROR_REUSED_ISSUER_AND_SERIAL error when using Decrypt HTTPS websites using SSL/TLS in EAP using Firefox

I am seeing this error intermittently when browsing in Firefox on a device with SSL/TLS decryption of HTTPS websites enabled. I have the ImportEnterpriseRoots setting enabled in Firefox to import the Sophos root CA. Browsing will work for a period of time and I can see looking at the certificate chain that the root CA is a Sophos one so HTTPS Interception is working. However, after period of time (usually a few hours) any sites I browse to will generate the following error SEC_ERROR_REUSED_ISSUER_AND_SERIAL. If I close and reopen all browser windows, I am able to successfully browse to the same sites again.

Googling this error points to articles that mention that deleting the certificates or CAs that cause the issue but this is not sustainable when we look to roll this out to 500 users. https://support.mozilla.org/en-US/kb/Certificate-contains-the-same-serial-number-as-another-certificate

Looking at the certificate authority in Windows for the Sophos Endpoint, it looks to be generated today. Is it a case that the certificate is not a static certificate but is one that changes regularly and could this be causing this issue?

Parents
  • I've been seeing this as well for the last week I've had decryption enabled on my main work laptop.

    Sure enough there are regular "registering root certificate" events in the log file:  C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\SophosNetFilter.log:

    2022-02-17T12:22:16.918Z [ 7256: 5928] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-17 2020 00:00:00Z NotAfter=2027-02-17 2027 00:00:00Z>>
    
    2022-02-16T17:24:41.492Z [ 1412: 8360] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-16 2020 00:00:00Z NotAfter=2027-02-16 2027 00:00:00Z>>
    
    2022-02-15T17:29:15.221Z [ 1304: 1300] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-15 2020 00:00:00Z NotAfter=2027-02-15 2027 00:00:00Z>>
    
    2022-02-15T00:25:50.065Z [ 4444: 4996] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-15 2020 00:00:00Z NotAfter=2027-02-15 2027 00:00:00Z>>
    
    2022-02-13T23:48:41.822Z [ 8580: 8584] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-13 2020 00:00:00Z NotAfter=2027-02-13 2027 00:00:00Z>>
    
    2022-02-13T21:20:58.102Z [ 7504: 1252] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-13 2020 00:00:00Z NotAfter=2027-02-13 2027 00:00:00Z>>
    
    2022-02-12T20:19:40.728Z [ 8948: 8952] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>
    
    2022-02-12T20:14:48.035Z [10208:10236] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>
    
    2022-02-12T19:43:12.389Z [ 9336: 9340] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>
    
    2022-02-12T19:00:54.552Z [ 9872: 9876] I Registering root certificate for EC: <<Certificate Serial=<redacted> Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=<redacted> NotBefore=2020-02-12 2020 00:00:00Z NotAfter=2027-02-12 2027 00:00:00Z>>

    One interesting thing I noticed from your post is the local root certificate is valid from 2 years in the past.

    Note: This issue usually clears up after about a minute without closing any tabs or windows.

  • I wasn't aware of that log file and just checked mine and I can see three entries this afternoon where a new root certificate is generated.

    2022-02-24T12:02:09.200Z [10968:10972] I Registering root certificate for RSA: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint RSA Root, O=Sophos Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=fe 31 02 33 33 11 63 07 2a 42 bf a9 b2 6b e5 47 11 32 2f de NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
    2022-02-24T12:02:09.201Z [10968:10972] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
    2022-02-24T12:02:09.208Z [10968:10972] I Registering root certificate for EC: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=45 0b 91 c0 21 5d 00 50 c9 8b 33 d7 60 51 74 3b 21 c7 32 38 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
    2022-02-24T12:02:09.209Z [10968:10972] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
    2022-02-24T12:08:09.974Z [10796:10800] I Registering root certificate for RSA: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint RSA Root, O=Sophos Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=48 77 d2 8c b8 90 30 e0 3a 35 95 5a 29 4a 95 04 59 a2 dd 25 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
    2022-02-24T12:08:09.975Z [10796:10800] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
    2022-02-24T12:08:09.980Z [10796:10800] I Registering root certificate for EC: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=6d b7 4c b7 03 07 bd e3 2d 25 a8 94 e5 1c b6 df 92 72 e1 00 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
    2022-02-24T12:08:09.981Z [10796:10800] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
    2022-02-24T14:06:46.559Z [ 6564:10728] I Registering root certificate for RSA: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint RSA Root, O=Sophos Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=ba 9e 89 ad 78 62 66 46 ce 43 5c 46 89 e4 ac 81 9a cb 5c c8 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
    2022-02-24T14:06:46.561Z [ 6564:10728] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)
    2022-02-24T14:06:46.567Z [ 6564:10728] I Registering root certificate for EC: <<Certificate Serial=redacted Subject=CN=Sophos Endpoint EC Root, O=Sophos Issuer=CN=Sophos Endpoint EC Root, O=Sophos Fingerprint=c7 20 b4 78 dc d0 3f 51 23 fe e7 30 d6 0b 5b cd 4e f9 10 62 NotBefore=2020-02-24 2020 00:00:00Z NotAfter=2027-02-24 2027 00:00:00Z>>
    2022-02-24T14:06:46.567Z [ 6564:10728] E Failed to register root certificate as trusted: Unknown component ID (0xe0020006)

    I'm also seeing lots of the following errors. Not sure if they're related to the issue I'm having.

    2022-02-24T15:33:06.361Z [ 6564: 7444] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=00000191B0647950
    2022-02-24T15:33:06.365Z [ 6564: 7444] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
    2022-02-24T15:33:06.368Z [ 6564: 7444] E Unrecoverable SSL error in input() flowId=20115 side=0 size=24 offset=0
    2022-02-24T15:33:06.371Z [ 6564: 9328] E Connection closed before handshake completed
    

    I'm seeing 2730 instances of the SSL_do_handshake returned SSL error= 1 reason=1042 error in my log file that goes back just short of four hours.

    I hadn't spotted the year on the cert being 2 years old, I saw the same date and presumed it was created that day. My also also does seem to clear itself up if I leave it a period of time but I haven't been able to pin down what causes the issue to start in the first place and happens to fix the issue. today for example, I have had this issue more than usual, maybe 5 times it's happened whereas usually, it will happen once maybe twice a day.

  • today endpoint SW-Update

    other firefox error, same root cause

    restarting firefox and it's working again.

  • Good afternoon,
    I'm also having the same errors and without a definitive solution.
    Errors do not occur when disabling modules.
  • in the rare case, sophos is reading here, this is just happening after Endpoint NTP64 has received updates due to new IPS signatures at 11:38Z time

    tried to open www.golem.de

    it happens with EVERY other website, except those, that are skipped from https decryption. e.g. all sophos.com websites work. After restarting firefox, all is OK again. This happens only on workstation with https decryption EAP installed and enabled.

    EP sophosnetfilter log:

    2022-05-20T11:53:46.052Z [17012:21052] I [webengine] New connection 0x23eec7b13a0
    2022-05-20T11:53:46.086Z [17012:10832] I [check-ip] connection:0x23eec7b13a0 ip:77.247.84.129 flowId:25671 decision:continue
    2022-05-20T11:53:46.115Z [17012:10832] I [clienthello] connection:0x23eec7b13a0 sni:www.golem.de flowId:25671 decision:decrypt
    2022-05-20T11:53:46.203Z [17012:21052] I [revocationcheck] certificate C=DE, S=Berlin, L=Berlin, O=Golem Media GmbH, CN=*.golem.de offline-status:unknown
    2022-05-20T11:53:46.204Z [17012:10832] I [serverhello] connection:0x23eec7b13a0 sni:www.golem.de flowId:25671 decision:allowed
    2022-05-20T11:53:46.211Z [17012:21052] I [certgen] cloned certificate <<Certificate Serial=c8 76 8f 87 ee 18 d4 ae 2e 17 2c 05 53 62 05 Subject=C=DE, S=Berlin, L=Berlin, O=Golem Media GmbH, CN=*.golem.de Issuer=C=DE, S=BW, L=CITY, O=OUR-COMPANY, OU=IT, CN=SSLPROXY-XG-FIREWALL.internal.domain, E=helpdesk@internal.domain Fingerprint=f5 83 0xxxxxxxxxxxxxxxxxxxxxxxxxdf bd 46 90 NotBefore=2021-01-05 2021 13:46:13Z NotAfter=2023-03-16 2023 13:46:13Z altnames=*.golem.de,golem.de>> as <<Certificate Serial=cc 6d f1 92 36 dd 72 d0 63 e6 76 62 d4 07 c9 cb 1f dc f3 46 Subject=C=DE, S=Berlin, L=Berlin, O=Golem Media GmbH, CN=*.golem.de Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=46 7f 5a 62 f3 9c 08 5f ba 1a 15 7f 09 a0 50 85 50 12 a9 45 NotBefore=2021-01-05 2021 13:46:13Z NotAfter=2023-03-16 2023 13:46:13Z altnames=*.golem.de,golem.de>>
    2022-05-20T11:53:46.213Z [17012:17100] I Revocation duration=0, Subject=C=DE, S=Berlin, L=Berlin, O=Golem Media GmbH, CN=*.golem.de, status=unknown
    2022-05-20T11:53:46.220Z [17012:17100] I [revocationcheck] certificate C=DE, S=Berlin, L=Berlin, O=Golem Media GmbH, CN=*.golem.de online-status:unknown
    2022-05-20T11:53:46.250Z [17012:21052] E SSL_read returned ssl err= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=0000023EEC2F5600
    2022-05-20T11:53:46.252Z [17012:21052] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during SSL_read(): error:00000412:lib(0):func(0):reason(1042)
    2022-05-20T11:53:46.254Z [17012:21052] E Unrecoverable SSL error in input() flowId=25671 side=0 size=31 offset=0
    2022-05-20T11:53:46.256Z [17012:18108] I [webengine] Closing connection 0x23eec7b13a0 for 'www.golem.de': request=610b, response=3234b, lifetime=204ms, firstResponse=140ms, businessLogicDelay=0ms, timeInCache=24ms, in=168ms, out=180ms, l.eos=203ms, r.eos=204ms

    EP: sophosupdate.log

    2022-05-20T11:38:27.864Z [18180:19716] I Supplements: 3, used 12459 bytes
    2022-05-20T11:38:27.864Z [18180:19716] I Packages: 1, used 22295 bytes
    2022-05-20T11:38:29.793Z [18180:19716] I WindowsCloudNextGen: downloaded suite: sdds3.WindowsCloudNextGen_11.6.890.f956798aa3.dat, version: 11.6.890, display version: 2.20.13 BETA
    2022-05-20T11:38:29.793Z [18180:19716] I WindowsCloudClean: downloaded suite: sdds3.WindowsCloudClean_1.0.42.55133bcba5.dat, version: 1.0.42, display version: empty
    2022-05-20T11:38:29.793Z [18180:19716] I WindowsCloudEncryption: downloaded suite: sdds3.WindowsCloudEncryption_2022.1.0.41.0e40ef1531.dat, version: 2022.1.0.41, display version: 2022.1.0.41
    2022-05-20T11:38:29.793Z [18180:19716] I WindowsCloudHitmanProAlert: downloaded suite: sdds3.WindowsCloudHitmanProAlert_2021.3.1.12.1.09812a79f4.dat, version: 2021.3.1.12.1, display version: 2021.3.1.12 BETA
    2022-05-20T11:38:29.793Z [18180:19716] I WindowsCloudMDR: downloaded suite: sdds3.WindowsCloudMDR_2.3.0.68.b77aeb54b6.dat, version: 2.3.0.68, display version: 2.3.0.68
    2022-05-20T11:38:29.794Z [18180:19716] I WindowsCloudAV: downloaded suite: sdds3.WindowsCloudAV_11.6.560.9f1f24ae28.dat, version: 11.6.560, display version: 10.8.11.4 BETA
    2022-05-20T11:38:29.794Z [18180:19716] I Removing orphan products.
    2022-05-20T11:38:29.795Z [18180:19716] I No orphan products detected.
    2022-05-20T11:38:29.800Z [18180:19716] I Saving state to C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2022-05-20T11:38:29.810Z [18180:19716] I Extracting packages.
    2022-05-20T11:38:31.969Z [18180:19716] I Extracting package EPIPS_data_2022.5.19.10.20.37.1.d84ec8d3a1.zip
    2022-05-20T11:38:31.969Z [18180:19716] I Decoding C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ntp64\2022051901.ips
    2022-05-20T11:38:37.169Z [18180:19716] I Purging C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ntp64\2022051101.ips
    2022-05-20T11:38:37.253Z [18180:19716] I Saving state to C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2022-05-20T11:38:37.271Z [18180:19716] I Installing products.
    2022-05-20T11:38:37.271Z [18180:19716] I Skipped installation of component 0253775E-970D-4876-959C-21B422420E5A (SSE64) 1.8.8.1
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 1129226C-32AB-4B72-85E1-A9CC8DFBC859 (SED64) 3.0.1.947
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 1FE3E7DF-EFFA-408A-A1B0-89F15BA61F31 (SAUXG) 6.12.86
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 243DECCD-8080-410D-A45F-77F2182715EE (UNINSTALLER64) 1.12.133.133
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 244E68BF-E1BB-4A6B-AC18-A492DE0134C0 (HMPA64) 3.8.4.37
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 3799FB3E-808A-4F7D-AC6A-0C74F931C386 (MCS) 4.15.79.0
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 3CE954A1-0F41-4D9B-B2F0-58AA75334DFD (SHS) 2.8.130.0
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 3D8DC0A9-7F42-4CD5-AA7B-CF29296E7789 (SOPHOSCLEANM64) 3.9.14.1
    2022-05-20T11:38:37.272Z [18180:19716] I Skipped installation of component 591706A7-9603-4255-A65F-EA49BB11E8AC (SFS64) 1.9.16.3
    2022-05-20T11:38:37.273Z [18180:19716] I Skipped installation of component 5CD1A7B6-812E-47A1-A986-3A6D5D5C19F5 (UI64) 2.4.230.0
    2022-05-20T11:38:37.273Z [18180:19716] I Skipped installation of component 642A6FD9-A9D6-482D-BD8C-46661F241A0E (AMSI64) 1.8.59
    2022-05-20T11:38:37.273Z [18180:19716] I Skipped installation of component 70FDD40E-986A-44E5-9620-2B894A06702A (SME64) 1.8.7.1
    2022-05-20T11:38:37.273Z [18180:19716] I Skipped installation of component 7F682906-6E49-481B-89C5-2DCA36720F4F (ESH64) 3.1.88.0
    2022-05-20T11:38:37.273Z [18180:19716] I Skipped installation of component BA3387BB-AE88-4403-A36D-F8C0E0B6AEB2 (LIVETERMINAL64) 1.4.80.0
    2022-05-20T11:38:37.273Z [18180:19716] I Skipped installation of component CD297D6B-58A5-474F-8A0D-0A15803B8B50 (EFW64) 2.0.20.20
    2022-05-20T11:38:37.274Z [18180:19716] I Skipped installation of component LiveQuery64 (LiveQuery64) 3.4.0.320
    2022-05-20T11:38:37.274Z [18180:19716] I Skipped installation of component MTR64 (MTR64) 2.3.0.68
    2022-05-20T11:38:37.274Z [18180:19716] I Skipped installation of component SDU (SDU) 6.11.234
    2022-05-20T11:38:37.278Z [18180:19716] I Installing component NTP64 (NTP64) 1.15.869.0
    2022-05-20T11:38:37.284Z [18180:19716] I Checking manifest:C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ntp64\manifest.dat
    2022-05-20T11:38:37.873Z [18180:19716] I setupDll='C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ntp64\setup64.dll'; setupExe='C:\ProgramData\Sophos\AutoUpdate\Cache\sophos_autoupdate1.dir\su-setup64.exe'.
    2022-05-20T11:38:37.956Z [15120:17688] I Trying to load setup.dll of product NTP64.
    2022-05-20T11:38:38.021Z [15120:17688] I Setup DLL loaded C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\ntp64\setup64.dll.
    2022-05-20T11:38:38.021Z [15120:17688] I Trying interface IProductSetup2 of product NTP64.
    2022-05-20T11:38:38.021Z [15120:17688] I Successfully established interface IProductSetup2.
    2022-05-20T11:38:47.950Z [15120:17688] I Reboot state: 0
    2022-05-20T11:38:47.950Z [15120:17688] I Successfully installed product NTP64.
    2022-05-20T11:38:47.965Z [18180:19716] I Saving state to C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2022-05-20T11:38:47.978Z [18180:19716] I Sending telemetry every 86400s
    2022-05-20T11:38:47.978Z [18180:19716] I Telemetry last ran at 2022-05-19 11:08:05Z; offset time 2022-05-19 12:55:38Z (offset 6453s)
    2022-05-20T11:38:47.978Z [18180:19716] I Telemetry schedule has not elapsed.
    2022-05-20T11:38:47.984Z [18180:19716] I Saving state to C:\ProgramData\Sophos\AutoUpdate\data\status\SophosUpdateStatus.xml
    2022-05-20T11:38:47.998Z [18180:19716] A SophosUpdate has completed (exit 0).
    

  • other websites produce the Reused and Serial error like all google sites and as example cisco.com

    2022-05-20T12:09:49.231Z [17012:21052] I [webengine] New connection 0x23eeb928850
    2022-05-20T12:09:49.263Z [17012:10832] I [check-ip] connection:0x23eeb928850 ip:72.163.4.185 flowId:27012 decision:continue
    2022-05-20T12:09:49.264Z [17012:10832] I [request] connection: 0x23eeb928850 url:http://cisco.com/ flowId:27012 decision:allowed riskLevel:2 universalCategory:8
    2022-05-20T12:09:49.482Z [17012:21052] I page allowed: http://cisco.com/
    2022-05-20T12:09:49.484Z [17012:18108] I [webengine] Closing connection 0x23eeb928850 for 'http://cisco.com/': request=1360b, response=209b, lifetime=252ms, firstResponse=250ms, businessLogicDelay=0ms, timeInCache=1ms, in=251ms, out=251ms, l.eos=252ms, r.eos=251ms
    2022-05-20T12:09:49.534Z [17012:21052] I [webengine] New connection 0x23eec78a050
    2022-05-20T12:09:49.564Z [17012:10832] I [check-ip] connection:0x23eec78a050 ip:95.100.76.145 flowId:27018 decision:continue
    2022-05-20T12:09:49.566Z [17012:10832] I [clienthello] connection:0x23eec78a050 sni:www.cisco.com flowId:27018 decision:decrypt
    2022-05-20T12:09:49.599Z [17012:21052] I [revocationcheck] certificate C=US, S=California, L=San Jose, O="Cisco Systems, Inc.", CN=www.cisco.com offline-status:unknown
    2022-05-20T12:09:49.600Z [17012:10832] I [serverhello] connection:0x23eec78a050 sni:www.cisco.com flowId:27018 decision:allowed
    2022-05-20T12:09:49.606Z [17012:21052] I [certgen] cloned certificate <<Certificate Serial=c0 88 4a 70 4a 2a be 8b 6b 37 5d 17 e2 48 06 Subject=C=US, S=California, L=San Jose, O="Cisco Systems, Inc.", CN=www.cisco.com Issuer=C=DE, S=BW, L=CITY, O=OUR-COMPANY, OU=IT, CN=SSLPROXY-XG-FIREWALL.internal.domain, E=helpdesk@internal.domain Fingerprint=f5 83 0xxxxxxxxxxxxxxxxxxxxxxxxxdf bd 46 90 NotBefore=2021-01-13 2021 15:37:40Z NotAfter=2023-03-24 2023 15:37:40Z altnames=www.cisco.com,cisco.com,www.mediafiles-cisco.com,www.static-cisco.com>> as <<Certificate Serial=29 0d e7 f1 c0 b2 01 3d 81 91 bb f5 f2 c0 c3 da 91 67 50 70 Subject=C=US, S=California, L=San Jose, O="Cisco Systems, Inc.", CN=www.cisco.com Issuer=CN=Sophos Endpoint RSA Root, O=Sophos Fingerprint=46 7f 5a 62 f3 9c 08 5f ba 1a 15 7f 09 a0 50 85 50 12 a9 45 NotBefore=2021-01-13 2021 15:37:40Z NotAfter=2023-03-24 2023 15:37:40Z altnames=www.cisco.com,cisco.com,www.mediafiles-cisco.com,www.static-cisco.com>>
    2022-05-20T12:09:49.608Z [17012:17100] I Revocation duration=0, Subject=C=US, S=California, L=San Jose, O="Cisco Systems, Inc.", CN=www.cisco.com, status=unknown
    2022-05-20T12:09:49.614Z [17012:17100] I [revocationcheck] certificate C=US, S=California, L=San Jose, O="Cisco Systems, Inc.", CN=www.cisco.com online-status:unknown
    2022-05-20T12:09:49.615Z [17012:21052] E SSL_do_handshake returned SSL error= 1 reason=1042 error:00000001:lib(0):func(0):reason(1) SSL*=0000023EECA47F60
    2022-05-20T12:09:49.618Z [17012:21052] E Failed to set up SSL MITM encryption: Unrecoverable SSL error during handshake(): error:00000412:lib(0):func(0):reason(1042)
    2022-05-20T12:09:49.620Z [17012:21052] E Unrecoverable SSL error in input() flowId=27018 side=0 size=7 offset=0
    2022-05-20T12:09:49.622Z [17012:18108] E Connection closed before handshake completed
    2022-05-20T12:09:49.624Z [17012:18108] I [webengine] Closing connection 0x23eec78a050 for 'www.cisco.com': request=517b, response=3267b, lifetime=89ms, firstResponse=57ms, businessLogicDelay=0ms, timeInCache=19ms, in=80ms, out=80ms, l.eos=87ms
    

    careful readers may note the re-encrypting CA of our Sophos XG in the cert line.

  • When will this problem be fixed? I have now all my customers that get these error when using Firefox. This answer is 2 month old and the last update doesn't fix this problem.

  • we're trying if disabling TLS1.3 early Data in FF may be a workaround. but it needs time to validate this as the issue happens so randomly

  • After i read you post we have disabled TLS 1.3 in Firefox but the problem still exists. It's a bit annoying. But in most cases this problem appears when the website is using TLS 1.3. 

  • in your case - is there a HTTPS decrypting / scanning device like Webproxy, Sophos Firewall, etc between the client and the target webseite?

  • I think the issue can be reproduced by disabling Sophos EP Modules Web protection and Network Threat Protection, possibly only NTP, wait for about 2 minutes, then start firefox, when started, enable the disabled Sophos EP module(s) again (this is actually what happens, when IPS/NTP updates are installed by Sophos Update).The error message in firefox appears when you try to open any website.

Reply
  • I think the issue can be reproduced by disabling Sophos EP Modules Web protection and Network Threat Protection, possibly only NTP, wait for about 2 minutes, then start firefox, when started, enable the disabled Sophos EP module(s) again (this is actually what happens, when IPS/NTP updates are installed by Sophos Update).The error message in firefox appears when you try to open any website.

Children
No Data