V18.5.1 appears to have a bug in CA generation

Hi folks,

recently my local CA expired and is now causing me grief on all my Apple devices using MAC mail.

The errors vary from not suitable for pinning to the site you are connecting to is unsafe or not recognised. Therros are affecting both SMTPS and Imaps. For the moment while I try to resolve the issue I have disabled smtps scanning.

I have tried to generate a new CA on the XG with a 12 month life similar to the one that expired except the export process does not work and the exported car is not recognised. I have tried renaming the CER, modified it settings but the same error persists. Also Iwhen exporting I see the encoded certificate displayed which all seems wrong to me.

The export message is

The exported file 

The result is I cannot generate a local CA of any use.

Ian

Parents
  • Hey Ian, 

    Did you mean you're trying to re-generate any of the in-built CA (Certificate Authorities) or did you create a Self Signed Certificate on the Firewall and trying to install it in the Mac systems along with the Built-in CA? 

    Usually if you're trying to download the self-signed certificate, it will be in .cer format 

    Devesh Mishra
    Global Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
  • Hi,

    I am trying to download a self signed CA and yes it is normally a .cer as in this case, but the format is wrong. When displayed in the XG it is correct, but the apple devices reject the format as invalid, so that means the export process is broken.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • There is something very wrong with the xg mail security. Various mail accounts cannot connect the rsp mail server because the XG insists the password or user Id is wrong. When removed from the XG network the same mail accounts work correctly.

    I will have to disable imaps scanning to overcome this issue, not that imaps scanning is of much use considering the amount of spam that gets through.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Not sure, if the import process of ios changed in the last version (ios15) but as far as i know, a .cer should be perfectly fine to import into a device. So if you get the .cer it should be fine from a firewall perspective. 

    Keep in mind, literally no business customer uses imaps. This is likely only used by home users. Therefore there is not much business use cases and not much customers uses this feature. So you do not have much spotlight from the business folks on this feature.

    But you export the CA for scanning in the same manner. And this should work in the same way and is the same certificate. And as far as i know, there seems to be no issue right now. 

    __________________________________________________________________________________________________________________

  • The issue being the export file name is meaningless. I think you will find a number of small businesses use IMAP?

    the issue is not only imap it also affects smtps scanning which i have disabled while waiting for a fix with the ca name.

     This issue has only arisen since the ca expired.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Actually no. Most small business migrated long ago to Office365 and stop using IMAP and those stuff. They migrated everything to the o365 cloud and also the cloud. Much easier to interact and maintain compared to having a free email etc. 

    About your issue. So your CA in the XG is/was expired? Because the Scanning CA is still valid until 2036, as far as i can see. Which certificate do you use? 

    __________________________________________________________________________________________________________________

Reply
  • Actually no. Most small business migrated long ago to Office365 and stop using IMAP and those stuff. They migrated everything to the o365 cloud and also the cloud. Much easier to interact and maintain compared to having a free email etc. 

    About your issue. So your CA in the XG is/was expired? Because the Scanning CA is still valid until 2036, as far as i can see. Which certificate do you use? 

    __________________________________________________________________________________________________________________

Children
  • I was using one I created that met pinning requirements.

    I will have to move all to the XG ca, but experience with one the rsp mail accounts the XG does not trust the smtp servers  where I was able to get imap working.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Actually this should not the be case. The Firewall should offer a Cert, which meets the requirements of a Apple device. 

    The trick is: 

    https://support.apple.com/en-us/HT210176

    Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

    The certificate of SFOS is issued for 01.08.2015, hence not required to be only 3 years expiration.

    Try the Sophos SSL CA, you find in CAs, import it and use the same for IMAP/SMTPs.

    The firewall itself will generate a certificate for each and every connection with this CA. This certificate is used for the connection and needs to meet the standards of 3 years expiration, but we are doing this per connection as well, but the CA does not require this. 

    __________________________________________________________________________________________________________________

  • Thank you for the explanation.  have reinstalled the XG CA and at this stage all appear to be working correctly which is completely different to the last time I tried using that CA.

    There is still a bug in the download process of the local generated CA if you review my original post in this thread.

    Ian

    just to make life extra difficult, one rsp changed their mail server security settings.

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • One RSP does not work. Further investigation tomorrow. Something  about the certificate expiring but that certificate has been deleted.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • After a couple of very frustrating days trying to resolve this issue, I have found the error generated by the apple devices is not correct.

    Error mail account for XXXX does not have a password please use settings to add a password, in reality means the password is wrong.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.