This is a security and maintenance update for Sophos Connect for Windows that addresses issues seen by some users after 2.3 GA release

IMPORTANT
  • This is a compatibility release that disables requirements for stricter certificate signing algorithm on the firewall. This change will be reverted in an update within the coming year. Please re-generate firewall CA certificates to use a stronger signing algorithm. as soon as possible. 
  • Sophos UTM customers should be running the 9.719 or later to support this client version

Issues Resolved

  • NCL-1852 Resolved issue where the client fails to connect to firewalls using weak signature algorithms
  • NCL-1847 Resolved issue where installation fails on computers with older VC runtime installed
  • NCL-1842 Client unable to connect to UTM9 systems due to mismatching cipher support - This issue is resolved in UTM9 v9.719

Download Links

  • Public download site - may take time after this article publishes to be available
  • Or from your firewall WebAdmin UI under Remote Access > Download Client

Related Links

  • Hi Luca, thanks for this explanation!

    The Settings in your Screenshots - are these the current best practice settings, recommended by you guys?

  • Essentially: 
    Sophos Connect in 2.3 GA has a restriction to only support secure cipher. Customers still use insecure ciphers. Sophos (based on the feedback) reverted this settings - for now. But it will come back eventually. 

    Sophos connect 2.3 MR1 is just a bug fixing for customers with problems like "cant use Connect anymore after update". The majority could use the tool without a problem and does not need to update to MR1. You can see all bug fixes above (3 in total) and all of those are generally speaking installations and connectivity issues.

    If there is 2.3 MR2 or 2.4, you can jump to this release directly and does not need to install 2.3 MR1 in between. 

    Connect your Sophos Connect (in 2.3 MR1 or GA or older) and check the "Security Tab".

    It will show you the essentially parts of SSLVPN encryption. As Sophos connect supports UTM and SFOS, you need to take care on that end.

    The next step is consider the certificate of the appliance:

    "Insecure" means in general SHA1 used for the certificate or for the encryption method. This change was made by openvpn: https://patchwork.openvpn.net/project/openvpn2/patch/20211029112407.2004234-1-arne@rfc2549.org/ 

    Those changes will require a new OpenVPN Config, which means, this is nothing, Sophos can demand for users.

  • A classic Sophos article that generates more questions than it helps. Really guys, please attend a training session on how to inform customers of changes and all the necessary steps ...

    I have the same questions as JasP.

    And additional:

    Please re-generate firewall CA certificates to use a stronger signing algorithm. as soon as possible. 

    • How can we check if we already have a "stronger" algorithm?
    • What does "stronger" mean in your definition? 
    • If we have a stronger certificate, are there any steps necessary?
    • Is updating to v2.3 MR1 mandatory?
    • If we stay with the current v2.3 version, are our users at risk? (Because updating all users is a pain in the neck as there is no automatic update functionality - no one knows why -> feature request).

    Please provide us with all the information we need to verify what you think is "stronger", steps to re-create the certificate, information on what impact this has on our users, and so on!

    Thank you very much!

  • Is my understanding correct, that if we have no problems with the original v2.3, then we are already using a CA certificate with strong signing and we don't need to regenerate our CA certificate for future compatibility?

    Also, if we have no issues with the original v2.3 then there is no need to update to MR1?