I have been using Sophos EAS on premise for a few years now to allow employees to use Sophos Secure Mail. The last few years I have not encountered any problems when renewing my certificate in the EAS proxy as well as on Exchange. Since the last renewal I get now unfortunately the following error:
2023-02-02 16:02:47.157 [nioEventLoopGroup-3-4] ERROR InboundHandler_neueralsneu - Exception on channel -356888948 remoteAddr: null localAddr: 0.0.0.0/0.0.0.0:443: javax.net.ssl.SSLHandshakeException: no cipher suites in common
With Keytools I have looked at the corresponding certificate stores of the Java instance of the EAS Proxy and I can say that my root CA is included. In addition I can see that my used encryption method is included in the config: ECDHE-RSA-AES128-GCM-SHA256 - This is also a common method.
What I can't tell exactly is if the error message refers to the connection between client and EAS or to the connection between EAS and Exchange.
Maybe someone here has an approach that helps me.
Thanks in advanceStephan
Thank you for reaching the community forum.May we know which email client you're currently using for this? Have you tried adding the self-signed server certificate as a Root CA to a policy and distributing it as part of the policy?
we only use the Sophos app together with Sophos Mobile Control and secure workspace. However, we only use the approach that devices are used in "private" mode and not as a company device.I have never distributed a certificate via the policy.
do I understand correctly that you mean the following point: Sophos Central --> Mobile --> Policies --> Android --> add configuration --> certificates ?
Thanks for the quick feedback!
Edit:I have included the easproxy_cert.crt at the point mentioned and rolled it out to my device. To be on the safe side I have also added the following certificates(matching our included certificate in eas proxy):
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
8unfortunately I still get the same error message!
I have now solved the problem for me by putting a WAF in front of the EAS proxy that presents my wildcard certificate.
It is not directly a solution to the problem but does not make the construct worse!
Thanks for the approach, it gave me the idea.
I'm glad to hear that you can solve your existing issues. I will mark your response as a suggested answer for other customers to reference what you've done if they ever encounter the same.