How to setup a CA that supports latest Requirements for Apple iOS13 / macOSx Catalina

Dear all,

i'm really struggling with the latest update for iOS / macOS where Apple has changed the requirements for SSL-Certificates. Using HTTPS Decryption + Web Policies (e.g. Advertisment filtering) does not work anymore with the Sophos SSL CA Certificate.

 

I tried to setup a own CA but i'm not able to get this scenario up and running..

 

Does anybody have an information / how-to / guide what needs to be done i would really appreciate if you can share this to me. I'm using the XG as FW for home usage only..

 

Thanks!

Best Regards
Martin

  • Hi, 

    in theory tomorrow should see the release of mr-9 with the fix in it.

    ian

  • In reply to rfcat_vk:

    sounds good... does it work in v18eap?

  • In reply to Martin Bernsteiner:

    Wish I knew because I have 5 devices waiting on the fix. I hope it will be included in EAP2.

    ian

  • Why does your own CA not working? 

    Maybe we can find the solution there.

  • In reply to Martin Bernsteiner:

    Hi,

     

    no the Issue isn't fixed in v18eap.

    I've also tried to create a CA which meets the requirements for the SSL Decryption, but even if all requirements are met, the Apple devices are still showing the error Message, that the connection is insecure.

  • In reply to Dwayne Parker:

    That is odd, as far as i know, a own CA should work fine with the latest Apple releases. 

    Simply because the XG fix will do the same, meeting the requirements. 

    Could you please double check, if your own CA meets everything? 

  • In reply to LuCar Toni:

    I've the same issue - was looking forward to the specifications from apple (https://support.apple.com/en-us/HT210176):

    • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
      • openssl genrsa -des3 -out private/cakey.pem 2048
    • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
      • openssl.cnf: default_md= sha256
    • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
      • subjectAltName = @subject_alt_name
      • [ subject_alt_name ]
        DNS.1 = *.home.local
        DNS.2 = home.local
        DNS.3 = sophos.home.local
        DNS.4 = unifi.home.local
        DNS.5 = unifi
        DNS.6 = sophos
    • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
      • extendedKeyUsage        = 1.3.6.1.5.5.7.3.1  = Server Authentication
    • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
      • openssl ca -selfsign \
        -in root-ca.req.pem \
        -out root-ca.cert.pem \
        -extensions root-ca_ext \
        -startdate `date +%y%m%d000000Z -u -d -1day` \
        -enddate `date +%y%m%d000000Z -u -d +1years+1day`

     

    If i do so - still have the issue that HTTPS Decryption fails due to the fact that certificate is not valid...

     

    Best Regards
    Martin

  • In reply to Martin Bernsteiner:

    Hi, short update:

    I‘ve setup a PFSense Firewall which has same capabilities related to SSL Inspection. First of all a CA creation wizard helps setting up an CA that simple works!!

    So i exported the CA created a XG „readable“ PEM + password for the key and added a CA on XG...

    It simple does not work!!! CA was added - i setup a FW rule + inported the CA Root Certificate on an iOS 13.2 Device - on way!!

    That drives me Reallohn Crazy and  could lead into the question if the XG and Sophos is the FW i wanna go for..

    Be the way - still no MR9 available that fix that issue which is in real no issue and furthermore already known since JUNE 2019!!!

  • In reply to Martin Bernsteiner:

    Dear all,

     

    is there any progress on that issue or do someone have an idea how/when this issue can be fixed?

     

    Thanks!

     

    Best Regards
    Martin

  • In reply to Martin Bernsteiner:

    MR9 released.  As usual tons of bugs fixes.  Apple certificate including.

    Hope it works.

    https://community.sophos.com/products/xg-firewall/b/blog/posts/sfos-17-5-mr9-released

    Paul Jr