Compatibility CAA - Mac Catalina - bug

Installing Sophos Client Authentication agent on Mac Catalina, the client is not usable as the "server is not trustworthy"

I am not able to add the certificate der file inside shared folder.

CAA version is 2.0.0, downloaded from XG v18 Client Authentication menu

 

Regards

  • I think this is a change in behaviour in Catalina not the CAA

    Apple have decided to enforce some additional certificate standards, including:

    • Limiting the lifetime of certs to ~2 yrs
    • Requiring hostname in the SubjectAlternativeName extension
    • Requiring an additional flag to be set indicating the purpose of the certificate

     

    Full details here: https://support.apple.com/en-ca/HT210176

     whats the latest?

  • In reply to Stuart Hatto:

    Hi,

    this is going to cause a lot of grief for home users and small businesses. Please generate a KBA explaining how to change the XG CA to comply.

    Thank you

    Ian

  • In reply to rfcat_vk:

    Yes, we are on it.

  •  you said you couldn't copy the file over to Shared. Is there an error popping up? Have you tried copying it via Finder instead?

  • In reply to Sivu:

     

    Yes, I tried manually. Same behaviour!

    The same behaviour on 17.5 MR8

    Regards

  • In reply to lferrara:

    Looks like a regression from Apple - just like with iOS 13, will take a look at it asap. 

  • In reply to Sivu:

    As Stuart mentioned, this is likely caused by changes Apple have made to the required certificate criteria when they authenticate certificates.

    We are planning to update the generation of the default Appliance Certificate to meet these new criteria but were unable to get this done in time for this EAP release, unfortunately. We also expect to make this change in an upcoming MR for version 17.5.

    In the meantime, to support users running Catalina or iOS13, you should look at using a certificate that is signed on a different system, which meets the criteria set out in the Apple article. You can create a CSR and the accompanying private key on the XG firewall, but the signing process, which will set the expiry date and the 'Purpose' fields, will need to be carried out on a system where you can ensure the right values are set. We'll investigate further and try to come up with some more specific instructions soon.

  • In reply to Sivu:

     as expected, there are some changes in the latest macOS that target folders and permissions. Indeed, the CAA installer can't be used anymore to copy the CA inside the /Users/Shared folder.

    As a workaround, after mounting the downloaded .dmg file, use 2 Finders to drag and drop the certificate from the CAA image to /Users/Shared. Eventually, you will be asked for the user password before the operation can be executed. In any case, it will work.

    Now you can authenticate the user, no popup should be seen (assuming the right XG is still the default gateway). The Trust API still works for CAA, no extra steps needed.

  • In reply to Sivu:

     

    you workaround does not work. I tried already your method (certificate copied 10th of october) but same issue.

    XG is the DG.

  • In reply to lferrara:

    I see. Let's take it privately and work together on it, if possible. We can't reproduce this here yet.

  • In reply to Sivu:

    Hey guys,

     

    what is the status of this issue?

    Since ill upgraded to catalina, ill facing this issue too.

  • In reply to 4ng3er:

    Hoping refresh 1 has the fix.

    I suspect the way to overcome the issue is generate a CA with a 2 year life to comply with the Apple new requirements.

    Ian

  • In reply to rfcat_vk:

    I had the remote session with a dev and they need to fix it as something is wrong. I am not sure that will be fixed in short time. Hope to get it in GA.

  • In reply to rfcat_vk:

    Short update: the issue is not related to Catalina or certificate requirements, it is purely a (server) XG-side problem. No need to do anything about it on the Apple side.

    Still investigating it, in any case this should be fixed by GA.

  • In reply to Sivu:

    The issue still exists in v17.5.9 for mail. https scanning works fine.

    Ian