This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHA-2 certificate in SEC 5.5.0

Hi,
We have upgraded SEC from version 5.4.0 to 5.5.0 specifically to avail of the SHA-2 certificate used by the RMS components which was introduced in 5.4.1 as per KB article 125162. However it looks like 5.5.0 is still using the old SHA-1 certificate.

Does this mean we should have installed 5.4.1 first rather than going straight to 5.5.0? Is there a way round this or do we need to uninstall 5.5.0 and install 5.4.1 (I really hope not!) Or have I just missed something?

Thanks in advance,
Justin

This thread was automatically locked due to age.

Parents

0 QC over 7 years ago

Hello Justin,

what means it looks like and where is it using the old SHA-1 certificate?

we should have installed 5.4.1 first
No, usually there aren't any upgrade path requirements (AFAIK there was only one and you simply couldn't make a "large jump" when upgrading).

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 JustinTL over 7 years ago in reply to QC

Hello Christian,

The certificate is called cac.pem and is located in C:\ProgramData\Sophos\AutoUpdate\Cache on the endpoints. A vulnerability scan is flagging it up hence wanting to replace it with the SHA-2 certificate.
The KB article 125162 mentions SHA-2 signed certificates will be created by default in 5.4.1 but in 5.5.0 but they don't appear to be hence wondering if we needed 5.4.1.

Thanks
Justin
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 7 years ago in reply to JustinTL

Hello Justin,

ah, I see. Indeed mine is signed with MD5. The Sophos Enterprise Console 5.4.1 article does not mention cac.pem.
cac.pem (in conjunction with mrinit.conf) is used only when RMS is installed. Subsequently RMS will refuse to apply changes to the configuration if the certificates don't match. This might be the reason that cac.pem isn't "upgraded" with a new hash on SEC upgrades. Anyway cac.pem isn't used for communication. Unfortunately I don't have a spare machine right now to test whether a fresh install (without migration the certificates) of SEC would create a SHA-2 cert.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 JustinTL over 7 years ago in reply to QC

Right, have been experimenting with various versions of SEC and come up with the following:

Installing a fresh 5.4.0 and upgrading to 5.4.1 doesn't update the certificates to SHA2

Installing a fresh 5.4.1 installs the SHA2 cetificates then upgrading this to 5.5.0 keeps those certificates

Installing a fresh 5.5.0 installs an SHA1 certificate

So to get an SHA2 certificate on the clients, it looks like we need a fresh 5.4.1 install then upgrade that to 5.5.0. Have already done this on another machine and used this to push out the client to a couple of test machines that had the old MD5 cert, these were subsequently updated with the SHA2 certificate. A bit of a faff but doable. Hope this all makes sense!

Will experiment a bit more then maybe migrate our clients to the SEC install with the SHA2 certificate, looks fairly straightforward, especially as we're using an MSSQL DB but we'll see.

Thanks
Justin
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 7 years ago in reply to JustinTL

Hello Justin,

kudos for your experimenting.

Installing a fresh 5.5.0 installs an SHA1 certificate
that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe Bianson could summon someone from the SEC team?

fairly straightforward
only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 B.Banner_Hulk over 6 years ago in reply to JustinTL

I have the same problem. I'm running SEC 5.5.0 but all of our clients are still getting the SHA1 certificate. Did anyone find a solution other than installing 5.4.1 and upgrading to 5.5.0 and then migrate the clients to the new server? I'd like to just update the cert on the existing 5.5.0 server.
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 6 years ago in reply to B.Banner_Hulk

Hello B.Banner_Hulk,

all of our clients are still getting the SHA1 certificate
are you referring to the self-signed root certificate in cac.pem? As far as I can see the certificate in HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\\pkc contains a 2048bit Public Key with a sha256RSA Signature. As mentioned above cac.pem isn't re-created or upgraded, you'd have to perform a clean (i.e. without exporting/importing the certificates) install and then reprotect or reinit the endpoints.
Can't say though whether 5.5.0 still incorrectly creates a SHA1 (if I have seen correctly the sec_550_sfx.exe has been changed since its initial release but I can't say what has been changed). It's not mentioned on the Known issues list.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 B.Banner_Hulk over 6 years ago in reply to QC

Thanks. Yes, I'm referring to the cac.pem file. For now, we have configured the Windows Firewall on our endpoints to only accept connections on TCP 8192 and 8194 from the server IP. This is enough for the scans to show clean. It would be nice if there was a 5.5.1 patch to update cac.pem but it seems we'd have to migrate to a new server with a fresh 5.5.0 install?
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 6 years ago in reply to B.Banner_Hulk

Hello B.Banner_Hulk,

only accept connections [...] from the server IP
[:D]

a 5.5.1 patch to update cac.pem
it's not just updating it on the server, guess the endpoints would also have to "accept" this change. As it's issued with a 20 year validity it's apparently not supposed to change.

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Vikas over 6 years ago in reply to QC

Hi Justin,

If you still need help regarding this issue -

We have a way to upgrade the certificate to SHA-2 if the older version is 5.4.0 instead of going for a fresh install.

As the steps are long, if you can open a service requested quoting this Thread we'll get you sorted.

Thanks,

Vikas
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Vikas over 6 years ago in reply to QC

Hi Justin,

If you still need help regarding this issue -

We have a way to upgrade the certificate to SHA-2 if the older version is 5.4.0 instead of going for a fresh install.

As the steps are long, if you can open a service requested quoting this Thread we'll get you sorted.

Thanks,

Vikas
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Peter Dudas over 6 years ago in reply to Vikas

Hi Vikas!

We are in the same shoes. Nessus scanner marks 8194/tcp ports as insecure due to weak signature algorithm and unknown CA.

Cac.pem (EM2_CA) is using MD5 hash algorithm.

Do you have a solution to update it to an SHA2 cert and make it trusted by the endpoints (without reinstalling SEC)?

We have SEC 5.5.0 installed.

Thank you!

Peter Dudas
Cancel
Vote Up 0 Vote Down

Cancel
0 Vikas over 6 years ago in reply to Peter Dudas

Hi Peter,

Please open a case with us as it would be advisable to be in touch with us should things go astray(no they won't, I'm just scaring ya)

I've requested Gowtham to get in touch with you via DM so that we can get the Case ID.

Thanks,

Vikas
Cancel
Vote Up 0 Vote Down

Cancel
0 Gagan Singh over 6 years ago in reply to Vikas

We have the same issue.

Sophos Enterprise Console 5.5.0

Still using SHA1 cert.

Is there an easy way to re-issue SAH2 rather than a full reinstall?
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 6 years ago in reply to Gagan Singh

Hello Gagan Singh,

as prvious responses suggest please contact Support. SEC is still 5.5.0, SEC versions are "stable", i.e. there are no in-version patches or changes.

Christian
Cancel
Vote Up 0 Vote Down

Cancel