Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 21 replies
  • Answers 1 answer
  • Subscribers 44 subscribers
  • Views 8459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to setup a CA that supports latest Requirements for Apple iOS13 / macOSx Catalina

Martin Bernsteiner

Dear all,

i'm really struggling with the latest update for iOS / macOS where Apple has changed the requirements for SSL-Certificates. Using HTTPS Decryption + Web Policies (e.g. Advertisment filtering) does not work anymore with the Sophos SSL CA Certificate.

 

I tried to setup a own CA but i'm not able to get this scenario up and running..

 

Does anybody have an information / how-to / guide what needs to be done i would really appreciate if you can share this to me. I'm using the XG as FW for home usage only..

 

Thanks!

Best Regards
Martin



This thread was automatically locked due to age.
Parents
  • 0

    Hi, 

    in theory tomorrow should see the release of mr-9 with the fix in it.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    sounds good... does it work in v18eap?

  • 0 in reply to Martin Bernsteiner

    Wish I knew because I have 5 devices waiting on the fix. I hope it will be included in EAP2.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Martin Bernsteiner

    Hi,

     

    no the Issue isn't fixed in v18eap.

    I've also tried to create a CA which meets the requirements for the SSL Decryption, but even if all requirements are met, the Apple devices are still showing the error Message, that the connection is insecure.

    _______________________________________________

    Sophos XG User

  • 0 in reply to Dwayne Parker

    That is odd, as far as i know, a own CA should work fine with the latest Apple releases. 

    Simply because the XG fix will do the same, meeting the requirements. 

    Could you please double check, if your own CA meets everything? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I've the same issue - was looking forward to the specifications from apple (https://support.apple.com/en-us/HT210176):

    • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
      • openssl genrsa -des3 -out private/cakey.pem 2048
    • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
      • openssl.cnf: default_md= sha256
    • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
      • subjectAltName = @subject_alt_name
      • [ subject_alt_name ]
        DNS.1 = *.home.local
        DNS.2 = home.local
        DNS.3 = sophos.home.local
        DNS.4 = unifi.home.local
        DNS.5 = unifi
        DNS.6 = sophos
    • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
      • extendedKeyUsage        = 1.3.6.1.5.5.7.3.1  = Server Authentication
    • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
      • openssl ca -selfsign \
        -in root-ca.req.pem \
        -out root-ca.cert.pem \
        -extensions root-ca_ext \
        -startdate `date +%y%m%d000000Z -u -d -1day` \
        -enddate `date +%y%m%d000000Z -u -d +1years+1day`

     

    If i do so - still have the issue that HTTPS Decryption fails due to the fact that certificate is not valid...

     

    Best Regards
    Martin

  • 0 in reply to Martin Bernsteiner

    Hi, short update:

    I‘ve setup a PFSense Firewall which has same capabilities related to SSL Inspection. First of all a CA creation wizard helps setting up an CA that simple works!!

    So i exported the CA created a XG „readable“ PEM + password for the key and added a CA on XG...

    It simple does not work!!! CA was added - i setup a FW rule + inported the CA Root Certificate on an iOS 13.2 Device - on way!!

    That drives me Reallohn Crazy and  could lead into the question if the XG and Sophos is the FW i wanna go for..

    Be the way - still no MR9 available that fix that issue which is in real no issue and furthermore already known since JUNE 2019!!!

  • 0 in reply to Martin Bernsteiner

    Dear all,

     

    is there any progress on that issue or do someone have an idea how/when this issue can be fixed?

     

    Thanks!

     

    Best Regards
    Martin

  • 0 in reply to Martin Bernsteiner

    MR9 released.  As usual tons of bugs fixes.  Apple certificate including.

    Hope it works.

    https://community.sophos.com/products/xg-firewall/b/blog/posts/sfos-17-5-mr9-released

    Paul Jr

  • FormerMember
    0 FormerMember in reply to Big_Buck 
    With 9.700-5 it doesn't work - at least not for me
Reply Children
Unfiltered HTML