Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due certificate AddTrust External CA Root expired on May 30th 2020 An issue occurs cause OpenSSL checks the certificate chain path which leads to an expired 'AddTrust External CA'. Hence you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user If you have a site that has an expired certificate and is processed by Sophos Firewall web proxy it would block the website by default. Here is a sample of the packet capture when the remote server would present the CA certificate which has expired.
Applies to the following Sophos product(s) and version(s) Sopho Firewall
Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due to certificate AddTrust External CA Root expired on May 30th 2020. Hence you may observe a block message presented by Sophos Firewall on the user's end.
While using the certificate for SSL VPN negotiation, the validation would fail and would not be able to establish a connection.Which would result in failed connection with Sophos Firewall as the certificate is no longer valid.
SSL VPN clients will see the following logs: Sat May 30 00:00:00 2020 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Sat May 30 00:00:00 2020 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Fixed in release 18.0 MR2 and 17.5 MR14
The expired CA is present on the Sophos Firewall Certificate authorities listings. Which would need to be removed.
Navigate to SYSTEM > Certificates > Certificate authorities and search for "AddTrust_External_Root". As you may see in the snapshot the CA is no longer valid and would need to be removed from the Certificate authorities listings.
The certificate signed with such expired external CA and used for SSL VPN would need to be replaced with any other certificate, you may choose to use 'Appliance Certificate' as a workaround.
To change the certificate, please navigate to Configure > VPN > Show VPN settings > SSL server certificate and change that to ApplianceCertificate. Click on Apply and then Close VPN settings.
After this change, the users would need to re-import the configuration. Kindly refer to this article to re-import the configuration: Sophos XG Firewall: How to configure SSL VPN remote access
Note: In case you are experiencing issue other than as described above, please raise the support case.
This article will be updated when any new information becomes available.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.