This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Sophos Notification] Advisory: Sophos UTM: Certificate validation failed for sites signed by Sectigo root CA

Overview

Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due certificate AddTrust External CA Root expired on May 30th 2020

An issue occurs cause OpenSSL checks the certificate chain path which leads to an expired 'AddTrust External CA'. Hence you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user

If you have a site that has an expired certificate and is processed by Sophos UTM web proxy it would block the website by default. 

Here is a sample of the packet capture when the remote server would present the CA certificate which has expired.

If the certificate which is expired is presented to Sophos UTM web proxy, it would check for validation of the certificate and would determine if it's valid or not. In this case, it would be blocked by default.

You may also observe such indication in HTTP.log "url="https://example.com/" referer="" error="Failed to verify server certificate""

 

More info available here: https://community.sophos.com/kb/en-us/135542



This thread was automatically locked due to age.