This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Failed to get free credentials" when getting credentials with self-signed certificate

I am trying to install Sophos AV for Linux on my machine from behind a proxy. The proxy performs a man-in-the-middle attack on the connection in order to filter it. I have installed the self-signed CA certificate in my local certificate store so that the system knows to trust it. However, it does not seem that Sophos knows to use the system certificate store, and instead keeps saying "Failed to get free credentials". When I try downloading behind a proxy that doesn't do the man-in-the-middle attack, the installation succeeds.

How do I configure Sophos to use the system certificate store during installation?



This thread was automatically locked due to age.
Parents
  • Hello Wheeler Law,

    are you sure it fails because it doesn't trust the connection and that it's not the proxy interfering?
    Please see the Where to get username and password ... and try to obtain a set of credentials by some means - given the contents of the file it might as well be the proxy.

    Christian 

  • I'm nearly certain its a certificate issue, specifically the Sophos installer not being able to validate the signature of the cert from the TLS handshake with the system certificates.

    I ran the installation through "strace" and I was able to pinpoint exactly where it fails (pastebin).

    It appears that the installer is using the CA certificate located in /tmp/sophos_distribution_QxxkZ7Y/sophos-av/sav-linux/common/engine/mcs_rootca.crt to verify the signature sent from amicreds.sophosupd.com. In this case, this fails because I am trying to run the installation from behind a proxy server that does SSL interception (I have added the CA cert of the proxy server to my system CA certificate store so that my system trusts it).

    If I curl the credentials from https://amicreds.sophosupd.com/freelinux/creds.dat using the intercepting proxy, it works fine (since curl is using the system certificates):

    # curl amicreds.sophosupd.com/.../creds.dat
    username=XXXXXXXXXX
    password=xxxxxxxx

  • Hello Wheeler Law,

    maybe can tell how its supposed to work and whether an SSL intercepting proxy is expected to break this. 

    Christian

Reply Children
No Data