Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 7 subscribers
  • Views 25009 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SHA-2 certificate in SEC 5.5.0

JustinTL

Hi,
We have upgraded SEC from version 5.4.0 to 5.5.0 specifically to avail of the SHA-2 certificate used by the RMS components which was introduced in 5.4.1 as per KB article 125162.  However it looks like 5.5.0 is still using the old SHA-1 certificate. 

Does this mean we should have installed 5.4.1 first rather than going straight to 5.5.0?  Is there a way round this or do we need to uninstall 5.5.0 and install 5.4.1 (I really hope not!)  Or have I just missed something?

Thanks in advance,
Justin



This thread was automatically locked due to age.
Parents
  • 0

    Hello Justin,

    what means it looks like and where is it using the old SHA-1 certificate?

    we should have installed 5.4.1 first
    No, usually there aren't any upgrade path requirements (AFAIK there was only one and you simply couldn't make a "large jump" when upgrading).

    Christian

  • 0 in reply to QC

    Hello Christian,

    The certificate is called cac.pem and is located in C:\ProgramData\Sophos\AutoUpdate\Cache on the endpoints.  A vulnerability scan is flagging it up hence wanting to replace it with the SHA-2 certificate.
    The KB article 125162 mentions SHA-2 signed certificates will be created by default in 5.4.1 but in 5.5.0 but they don't appear to be hence wondering if we needed 5.4.1.

    Thanks
    Justin

  • 0 in reply to JustinTL

    Hello Justin,

    kudos for your experimenting.

    Installing a fresh 5.5.0 installs an SHA1 certificate
    that's, err, interesting. That the certificate isn't upgraded is to some extent understandable. I'd have expected that all "fresh" installations of SEC 5.4.1.+ will use SHA2 when creating the certificate. Did you try to get some information or comment from Support? Dunno whom to contact in this Community - maybe could summon someone from the SEC team?

    fairly straightforward
    only if you can reprotect (or run a reinit script on) all your endpoints. It's a catch22 - endpoints will accept an updated certificate only from a trusted source, to make your new SEC trusted you'd have to import the old certificate ...

    Christian 

  • 0 in reply to JustinTL

    I have the same problem.  I'm running SEC 5.5.0 but all of our clients are still getting the SHA1 certificate.  Did anyone find a solution other than installing 5.4.1 and upgrading to 5.5.0 and then migrate the clients to the new server?  I'd like to just update the cert on the existing 5.5.0 server.

  • 0 in reply to B.Banner_Hulk

    Hello B.Banner_Hulk,

    all of our clients are still getting the SHA1 certificate
    are you referring to the self-signed root certificate in cac.pem? As far as I can see the certificate in HKLM\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\\pkc contains a 2048bit Public Key with a sha256RSA Signature. As mentioned above cac.pem isn't re-created or upgraded, you'd have to perform a clean (i.e. without exporting/importing the certificates) install and then reprotect or reinit the endpoints.
    Can't say though whether 5.5.0 still incorrectly creates a SHA1 (if I have seen correctly the sec_550_sfx.exe has been changed since its initial release but I can't say what has been changed). It's not mentioned on the Known issues list.

    Christian

  • 0 in reply to QC

    Thanks.  Yes, I'm referring to the cac.pem file.  For now, we have configured the Windows Firewall on our endpoints to only accept connections on TCP 8192 and 8194 from the server IP.  This is enough for the scans to show clean.  It would be nice if there was a 5.5.1 patch to update cac.pem but it seems we'd have to migrate to a new server with a fresh 5.5.0 install?

  • 0 in reply to B.Banner_Hulk

    Hello B.Banner_Hulk,

    only accept connections [...] from the server IP
    [:D]

    a 5.5.1 patch to update cac.pem
    it's not just updating it on the server, guess the endpoints would also have to "accept" this change. As it's issued with a 20 year validity it's apparently not supposed to change.

    Christian

  • 0 in reply to QC

    Hi Justin,

    If you still need help regarding this issue -

    We have a way to upgrade the certificate to SHA-2 if the older version is 5.4.0 instead of going for a fresh install.

    As the steps are long, if you can open a service requested quoting this Thread we'll get you sorted.

    Thanks,

    Vikas

  • 0 in reply to Vikas

    Hi Vikas!

     

    We are in the same shoes. Nessus scanner marks 8194/tcp ports as insecure due to weak signature algorithm and unknown CA.

    Cac.pem (EM2_CA) is using MD5 hash algorithm. 

    Do you have a solution to update it to an SHA2 cert and make it trusted by the endpoints (without reinstalling SEC)?

    We have SEC 5.5.0 installed.

     

    Thank you!

    Peter Dudas

  • 0 in reply to Peter Dudas

    Hi Peter,

    Please open a case with us as it would be advisable to be in touch with us should things go astray(no they won't, I'm just scaring ya)

    I've requested Gowtham to get in touch with you via DM so that we can get the Case ID.

    Thanks,

    Vikas

  • 0 in reply to Vikas

    We have the same issue.

     

    Sophos Enterprise Console 5.5.0

    Still using SHA1 cert.

     

    Is there an easy way to re-issue SAH2 rather than a full reinstall? 

  • 0 in reply to Gagan Singh

    Hello Gagan Singh,

    as prvious responses suggest please contact Support. SEC is still 5.5.0, SEC versions are "stable", i.e. there are no in-version patches or changes.

    Christian

Reply Children
No Data
Unfiltered HTML