Issue with IOS 13 & MAC OS 10.15 SSL Certificate Requirements for Transparent proxy

Hi All,

Apple have changed the validity requirments of certificates as detailed here:

https://support.apple.com/en-gb/HT210176

This has caused the transparent proxy on the UTM 9 to error on devices updated to IOS 13. Is there a way to configure or modify the man-in-the-middle certificate/template that is used by the UTM for automatically generated certificates to bring it into line with this new requirment?

From the quick checks I have done, it looks as though the issues are due to UTM issuing man-in-the-middle certs that are valid for 3 years, have a 1024 bit public keysize and do not have ExtendedKeyusage extension set to TLS Web Server Authentication.

Excerpt from the above article:

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

If anyone could point me to the location of the certificate template or mechanism of MIM certificate generation I would greatly appreciate it.

Edit: I have found a similar issue described in the XG forum. https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/115171/ssl_scanning_certificate-not-accepted-under-ios-13

Many thanks,

Rax

  • Hi  

    This issue is already identified by our team and they're working for a fix of the issue in UTM 9. I will update here as soon as there's more information available.

  • In reply to Jaydeep:

    Hi Jaydeep,

     

    Thanks for the response and confirmation that this will also be addressed for UTM 9.

     

    Many thanks,

    Rax

  • In reply to Rax Ramjam:

    Hi  

    This has been taken care in the latest release of UTM 9 version 9.700. Please read the release notes here https://community.sophos.com/products/unified-threat-management/b/blog/posts/utm-up2date-9-700-released and check for NUTM-11202.

  • In reply to Jaydeep:

    I just updated to 9.700-5 and regenerated my HTTP signing CA and am still having an issue.  The regenerated signing CA is producing a 1024 key and MAC 10.15 and IOS 13 both require at least 2048.  Is there a way to regen my HTTP CA to produce a 2048 key which I believe would solve the issue.  

    The error I am getting from the web page is "NET::ERR_CERT_WEAK_KEY"

    Thanks

  • In reply to Duane Clouse:

    I was able to resolve this myself by creating a CA using the Mac 10.15 Keychain Access/Certificate Assistance app and created a 2048 CA.  I then uploaded the .P12 into the UTM Filtering WebProtection/Filtering Options/HTTP CA tab and then downloaded the cert to my IOS13 and all tested out correct.  Also works with my Mac 10.15 just make sure you trust the cert on both 10.15 and IOS 13.

  • In reply to Duane Clouse:

    I am also running into this issue with iOS 13 devices not accepting the 1024bit signing CA generated by the UTM. I have now updated to 9.7-5 and regenerated the signing CA, but note that the generated cert is still 1024 bits which does not conform to Apple's requirements. I have not yet been successful with the workaround suggested by Duane.

    --Larry

  • In reply to Fahnoe:

    Larry, I ran the CA signing cert process from my Mac Catalina and it defaulted to creating a 2048 key.  Just do a search on "how to generate a 2048 signing cert" for your specific OS and then import into the UTM under "Web Protection/Filtering Options/HTTPS CAs/Signing CA".  Don't hit the "Regenerate" under "Signing CA" as it will default to a 1024 key.  Make sure to upload the new one you just created.

  • In reply to Duane Clouse:

    Hi Duane and welcome to the UTM Community!

    First participation is providing a solution - cool!

    Cheers - Bob

  • In reply to BAlfson:

    When will this be fixed on the UTM?  I'm not eager to hack this together myself.  Is there a patch coming that will result in the Regenerate button doing what it should - generating an appropriate 2048 bit key?  The hack is not a fix.

  • In reply to Jerry Butler:

    Hi,

    I agree: creating an external CA certificate is not the solution since it has to work out of the box! We recently upgraded our firewall (exact for that reason, iOS devices can't access the internet) and have the same issue with hundreds of devices.

    Our goal was to solve this problem, not to manually create another certificate.

  • In reply to Christoph Pelzer:

    Guys, please get cases open with Sophos Support.  This is supposed to work in 9.7.

    Cheers - Bob

  • In reply to BAlfson:

    Hi,

     

    is there any news here? Something to do with the settings in the UTM or a Bug?

     

    Cheers

  • In reply to thunderace:

    It looks like a bug.

    I update to 9.7 and regenerated the certificate and have the same issue.

    I have logged a ticket with Sophos and am awaiting a response.

  • In reply to MichaelBeattie:

    Did you check, if the certificate actually mets all apple requirements?

    Download the PEM and open it to verify, if everything is in place.

    https://support.apple.com/en-gb/HT210176

  • In reply to LuCar Toni:

    Yes i checked. it doesn't meet the requirements. the keysize is 1024 when i click regenerate in the utm console. This is the issue.

    i followed the suggestion above by and manually generated a certificate to resolve the issue. This is a pain though. It would be nice to be able to click the button in the UTM and for it to work.