We'd love to hear about it! Click here to go to the product suggestion community
i'm really struggling with the latest update for iOS / macOS where Apple has changed the requirements for SSL-Certificates. Using HTTPS Decryption + Web Policies (e.g. Advertisment filtering) does not work anymore with the Sophos SSL CA Certificate.
I tried to setup a own CA but i'm not able to get this scenario up and running..
Does anybody have an information / how-to / guide what needs to be done i would really appreciate if you can share this to me. I'm using the XG as FW for home usage only..
in theory tomorrow should see the release of mr-9 with the fix in it.
In reply to rfcat_vk:
sounds good... does it work in v18eap?
In reply to Martin Bernsteiner:
Wish I knew because I have 5 devices waiting on the fix. I hope it will be included in EAP2.
Why does your own CA not working?
Maybe we can find the solution there.
no the Issue isn't fixed in v18eap.
I've also tried to create a CA which meets the requirements for the SSL Decryption, but even if all requirements are met, the Apple devices are still showing the error Message, that the connection is insecure.
In reply to Dwayne Parker:
That is odd, as far as i know, a own CA should work fine with the latest Apple releases.
Simply because the XG fix will do the same, meeting the requirements.
Could you please double check, if your own CA meets everything?
In reply to LuCar Toni:
I've the same issue - was looking forward to the specifications from apple (https://support.apple.com/en-us/HT210176):
If i do so - still have the issue that HTTPS Decryption fails due to the fact that certificate is not valid...
Hi, short update:
I‘ve setup a PFSense Firewall which has same capabilities related to SSL Inspection. First of all a CA creation wizard helps setting up an CA that simple works!!
So i exported the CA created a XG „readable“ PEM + password for the key and added a CA on XG...
It simple does not work!!! CA was added - i setup a FW rule + inported the CA Root Certificate on an iOS 13.2 Device - on way!!
That drives me Reallohn Crazy and could lead into the question if the XG and Sophos is the FW i wanna go for..
Be the way - still no MR9 available that fix that issue which is in real no issue and furthermore already known since JUNE 2019!!!
is there any progress on that issue or do someone have an idea how/when this issue can be fixed?
MR9 released. As usual tons of bugs fixes. Apple certificate including.
Hope it works.
In reply to Big_Buck:
With 9.700-5 it doesn't work - at least not for me
In reply to *Ludo*:
that is a UTM version not an XG version.
The firmware version you provided is for Sophos UTM and this thread is for Sophos XG firewall.
The issue has been reported as bug with ID NUTM-11345 (Regenerated Signing CA using 1024bit key, causing iOS 13 trust issues).
The fix is going to be released in the firmware version 9.7 MR1 (9.701).
There is a possible workaround to this issue, please check answer posted by me on this post: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/117486/sophos-utm-web-protection-https-ca/424699#424699
In reply to H_Patel:
when will that fix be applied to XG?
sorry that I was in the wrong thread :-(
Then I have to wait for 9.7 MR1 (9.701), right?
Or apply the workaround....