DPI / TLS Scanning exception issue with d1. d2 d3.sophosupd.com when installing Intercept-X for Mac

Hi,

today we're facing something new: issues when rolling out the Sophos Endpoint to Mac Books. Windows Endpoints: no problem.

They fail to install. Workarounds like https://support.sophos.com/support/s/article/KB-000044045?language=en_US were unsuccessful.

When we put them into Guest WiFi with no XG TLS Decryption, they succeed to install immediately.

We could not find something helpful in the install logs - there is nothing logged by the Mac installer in /var/log/install.log /var/log/system.log.

When working in Guest WiFi,

we can see in the Firewall log, they are downloading a bunch of stuff, all over unecrypted http connections:

184.30.25.172,Software Updates,d3.sophosupd.com/.../sdds.ixdata.xml

184.30.25.172,Software Updates,d2.sophosupd.com/.../e7ab79122d4ed04125ffa2d788fad371x000.xml

184.30.25.172,Software Updates,d1.sophosupd.com/.../9e6f799da98647181e68ffd70c4c50e9x000.xml

184.30.25.172,Software Updates,dci.sophosupd.com/.../c593902213ad9c5e6c22aa72ae213505.dat

All from the same IP, with different SNI.

When they fail to install when they're in the corporatre LAN, I can see no blocked firewall packets but in TLS I see errors due to

"Server did not respond to client hello"

I can simulate this. I can browse to that websites and get the Akamai Website content without error but in the XG TLS logs, it shows the same TLS error.

Manual test opening in browser:

Of course those websites are all excluded from TLS / DPI scanning - with the default rule and also the matching firewall rule has no https decryption enabled.


Exception group:

TLS exception:



Edited TAGs
[edited by: emmosophos at 5:48 PM (GMT -7) on 4 Aug 2022]
Parents
  • Hello ,

    May be the following KBAs would help, if you add the certain domains and ports into the exception of the FW rather than scanning them !!

    Domains and ports to allowhttps://docs.sophos.com/central/Customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html
    Exceptionshttps://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/Exceptions/index.html

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thank you Vivek. I expect our exception lists are well filled. And we can see the firewall traffic of that client only hit the desired firewall rule that contains all the central domain exceptions.

  • Can you share the out of the following:
    console> show advanced-firewall
    ============================
    try toggling the following:
    >  TCP Seq Checking 
    >  TCP Selective Acknowledgements
    >   Midstream Connection Pickup
    See if that makes any difference upon toggling on/off this options !!

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thank you, I will test changing those options after hours.

            Strict Policy                           : on
            FtpBounce Prevention                    : control
            Tcp Conn. Establishment Idle Timeout    : 10800
            UDP Timeout                             : 30
            UDP Timeout Stream                      : 60
            Fragmented Traffic Policy               : allow
            Midstream Connection Pickup             : off
            TCP Seq Checking                        : on
            TCP Window Scaling                      : on
            TCP Appropriate Byte Count              : off
            TCP Selective Acknowledgements          : on
            TCP Forward RTO-Recovery[F-RTO]         : off
            TCP TIMESTAMPS                          : off
            Strict ICMP Tracking                    : off
            ICMP Error Message                      : allow
            Caching for route lookups               : on
            IPv6 Unknown Extension Header           : deny
    

  • I changed those adv. FW options.

    Toggled them all, toggled a single of them...

    but unfortunately this did not change the behaviour. if accessed, those 4 test FQDN still generate the error in TLS log.

    I believe this is an Intercept-X endpoint https decrypt issue. Will test some more at later time.

  • just a quick info:

    What is common with all failed requests is the cipher suite and that is uses TLS1.3

    There are also successful requests to those sophos servers, but they are all TLS1.2 and have an other cipher suite:

    That one is always failing, no single success in our logs:

    2022-08-04 19:25:36SSL/TLS inspectionmessageid="19017" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="xxx" src_ip="172.16.xxxxxxx" dst_ip="184.30.25.172" user_group="xxxxx" src_country="R1" dst_country="DEU" src_port="58841" dst_port="443" app_name="" category="Software Updates" con_id="3403381952" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_AES_256_GCM_SHA384" sni="cloud-assets.sophos.com" tls_version="TLS1.3" reason="Server did not respond to client hello" exception="" message=""

  • Hey ,

    Can you execute the following commands from the advance shell of the SFOS and from the windows client machine in powershell and check the results:

    #openssl s_client -connect d2.sophosupd.com:443 -tls1
    #openssl s_client -connect d2.sophosupd.com:443  -tls1_1
    #openssl s_client -connect d2.sophosupd.com:443 -tls1_2
    #openssl s_client -connect d2.sophosupd.com:443  -tls1_3

    Based on the reporting you shared, there are chances they you may not see a negotiation established on TLS 1.3

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Hi Vivek,

    thanks for your debug steps.

    So our XG has an openssl version that cannot speak 1.3. And so was my client - had to update my local openssl version to 1.1.1 first.

    from XG with SFOS 18.5.4:

    XG430_WP02_SFOS 18.5.4 MR-4-Build418# openssl version
    OpenSSL 1.0.2u-fips  20 Dec 2019
    
    XG430_WP02_SFOS 18.5.4 MR-4-Build418# openssl s_client -connect d2.sophosupd.com:443 -tls1
    CONNECTED(00000003)
    depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.sophosupd.com
       i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
     1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
       i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
     2 s:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
       i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.sophosupd.com
    issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4779 bytes and written 316 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : ECDHE-RSA-AES256-SHA
        Session-ID: F55F0B43856776C0FF276E91711BBFF8ACEA8D6D149C1E7416F10294EF32D181
        Session-ID-ctx:
        Master-Key: 7C810E0CFDD0883E42DA72120265C35F5F5C7502BE1670657F3A259D96F03A4BAB6A88046EFC4CDD456FC0A9F2810162
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - 4c e3 34 50 27 a2 ed 29-2d 42 a0 e5 de 0c 30 ef   L.4P'..)-B....0.
        0020 - 55 28 de 50 f0 67 a1 78-60 a4 e7 72 44 94 25 b4   U(.P.g.x`..rD.%.
        0030 - d8 a3 44 b2 87 58 b9 d8-4e 47 2a f4 41 b5 75 99   ..D..X..NG*.A.u.
        0040 - 20 6d 4f 26 75 5b eb 8b-43 2d b1 82 be 93 bc c0    mO&u[..C-......
        0050 - ca c0 3d 15 ca 1b 30 f4-0c e9 da 15 d3 1a 84 2b   ..=...0........+
        0060 - 82 03 25 b8 6d c4 eb 5c-ba ce c4 00 2b de 07 bb   ..%.m..\....+...
        0070 - e9 0f 5d eb 78 97 28 c1-a2 8c a2 12 e9 58 2d 7b   ..].x.(......X-{
        0080 - ff 38 12 a8 bd 17 77 75-70 65 83 20 d3 fb b1 28   .8....wupe. ...(
        0090 - b3 b9 a6 d2 b0 bc 56 ce-c1 35 82 66 67 f3 89 dd   ......V..5.fg...
    
        Start Time: 1659694499
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    closed
    XG430_WP02_SFOS 18.5.4 MR-4-Build418# openssl s_client -connect d2.sophosupd.com:443 -tls1_1
    CONNECTED(00000003)
    depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.sophosupd.com
       i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
     1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
       i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
     2 s:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
       i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.sophosupd.com
    issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4795 bytes and written 332 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.1
        Cipher    : ECDHE-RSA-AES256-SHA
        Session-ID: 900D5DF2FA8A353EB31E252D14FC2D2D872763AE107CE7F2C783ECA32B6F977F
        Session-ID-ctx:
        Master-Key: B6920CD598394C7472169105403A621487F4F247297B0E7855B0F61EF1DE38733C271AF8A69AEACC4D56709F015A9B26
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - 03 73 e2 09 ad c4 0e 5a-fd 83 c0 87 1c e6 b9 47   .s.....Z.......G
        0020 - f2 b3 b0 e4 e1 24 8b ca-16 fe 09 a2 4a e0 7c 16   .....$......J.|.
        0030 - 4a f4 2d 86 63 e0 0e 0d-00 f9 a0 da e7 e7 bf f5   J.-.c...........
        0040 - 50 ec f9 07 aa 8d 78 82-94 67 17 b0 55 d8 60 5d   P.....x..g..U.`]
        0050 - 3a b6 ff 5f 78 78 36 be-a7 db 2c ad a6 b4 ce 3d   :.._xx6...,....=
        0060 - c0 66 1d ea 78 d6 b3 12-b4 47 be 9c 95 be 7f 6d   .f..x....G.....m
        0070 - 1f 5f eb 3e 4d 99 ec d4-f5 63 36 87 7c f5 21 ac   ._.>M....c6.|.!.
        0080 - 24 d4 0f a9 08 7d 7a 2c-4e eb 87 8c 91 c5 b1 64   $....}z,N......d
        0090 - f9 e9 d6 72 3f d0 61 21-f5 12 03 ef ae 60 a3 f5   ...r?.a!.....`..
    
        Start Time: 1659694524
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    closed
    XG430_WP02_SFOS 18.5.4 MR-4-Build418# openssl s_client -connect d2.sophosupd.com:443 -tls1_2
    CONNECTED(00000003)
    depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.sophosupd.com
       i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
     1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
       i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
     2 s:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
       i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=/C=GB/ST=Oxfordshire/L=Abingdon/O=SOPHOS LIMITED/CN=*.sophosupd.com
    issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign RSA OV SSL CA 2018
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4773 bytes and written 416 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 66293EBDB21603F9710017D9C668ADF8C6A33DAB2BC80D92B104E8CB948877E6
        Session-ID-ctx:
        Master-Key: 607DAA10D02F8F921C2F3C599C118D82E7907072F1F68A755A82EC62C3728C11B9DBA62CEC307B1E79BEEC9433697FF3
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - 6c 0e db c9 40 47 26 66-4c 59 02 4f 1e ae ee 50   l...@G&fLY.O...P
        0020 - f1 1b 01 81 d4 3c cd 7b-2f 8f 0d ae 0c 15 8c 74   .....<.{/......t
        0030 - 68 26 a1 fa 36 b7 18 84-84 d2 53 b3 4d 82 20 c2   h&..6.....S.M. .
        0040 - af 6c 40 f9 fd 38 7d 58-d9 d0 99 61 ca a5 1e a7   .l@..8}X...a....
        0050 - b9 c5 81 42 0e ee b1 3e-23 00 f5 23 3b 4c 86 69   ...B...>#..#;L.i
        0060 - 2b 6a 81 37 76 be 0b 51-7b b7 0e 4e 0e 3d 61 73   +j.7v..Q{..N.=as
        0070 - b0 46 58 08 ea aa d3 ce-12 55 ec a3 6b 0d b4 de   .FX......U..k...
        0080 - 23 a0 d4 fd 63 b6 a4 58-62 a9 c9 8a 01 3c da d1   #...c..Xb....<..
        0090 - 9f 0c e7 9d 2d 35 84 7f-4b 5c 9a ed 05 2d a0 7b   ....-5..K\...-.{
    
        Start Time: 1659694548
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---
    closed
    XG430_WP02_SFOS 18.5.4 MR-4-Build418# openssl s_client -connect d2.sophosupd.com:443 -tls1_3
    unknown option -tls1_3
    usage: s_client args
    
     -host host     - use -connect instead
     -port port     - use -connect instead
     -connect host:port - who to connect to (default is localhost:4433)
     -verify_hostname host - check peer certificate matches "host"
     -verify_email email - check peer certificate matches "email"
     -verify_ip ipaddr - check peer certificate matches "ipaddr"
     -verify arg   - turn on peer certificate verification
     -verify_return_error - return verification errors
     -cert arg     - certificate file to use, PEM format assumed
     -certform arg - certificate format (PEM or DER) PEM default
     -key arg      - Private key file to use, in cert file if
                     not specified but cert file is.
     -keyform arg  - key format (PEM or DER) PEM default
     -pass arg     - private key file pass phrase source
     -CApath arg   - PEM format directory of CA's
     -CAfile arg   - PEM format file of CA's
     -no_alt_chains - only ever use the first certificate chain found
     -reconnect    - Drop and re-make the connection with the same Session-ID
     -pause        - sleep(1) after each read(2) and write(2) system call
     -prexit       - print session information even on connection failure
     -showcerts    - Show all certificates sent by the server
     -debug        - extra output
     -msg          - Show protocol messages
     -nbio_test    - more ssl protocol testing
     -state        - print the 'ssl' states
     -nbio         - Run with non-blocking IO
     -crlf         - convert LF from terminal into CRLF
     -quiet        - no s_client output
     -ign_eof      - ignore input eof (default when -quiet)
     -no_ign_eof   - don't ignore input eof
     -psk_identity arg - PSK identity
     -psk arg      - PSK in hex (without 0x)
     -srpuser user     - SRP authentification for 'user'
     -srppass arg      - password for 'user'
     -srp_lateuser     - SRP username into second ClientHello message
     -srp_moregroups   - Tolerate other than the known g N values.
     -srp_strength int - minimal length in bits for N (default 1024).
     -ssl2         - just use SSLv2
     -ssl3         - just use SSLv3
     -tls1_2       - just use TLSv1.2
     -tls1_1       - just use TLSv1.1
     -tls1         - just use TLSv1
     -dtls1        - just use DTLSv1
     -fallback_scsv - send TLS_FALLBACK_SCSV
     -mtu          - set the link layer MTU
     -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
     -bugs         - Switch on all SSL implementation bug workarounds
     -cipher       - preferred cipher to use, use the 'openssl ciphers'
                     command to see what is available
     -starttls prot - use the STARTTLS command before starting TLS
                     for those protocols that support it, where
                     'prot' defines which one to assume.  Currently,
                     only "smtp", "pop3", "imap", "ftp" and "xmpp"
                     are supported.
     -engine id    - Initialise and use the specified engine
     -rand file:file:...
     -sess_out arg - file to write SSL session to
     -sess_in arg  - file to read SSL session from
     -servername host  - Set TLS extension servername in ClientHello
     -tlsextdebug      - hex dump of all TLS extensions received
     -status           - request certificate status from server
     -no_ticket        - disable use of RFC4507bis session tickets
     -serverinfo types - send empty ClientHello extensions (comma-separated numbers)
     -curves arg       - Elliptic curves to advertise (colon-separated list)
     -sigalgs arg      - Signature algorithms to support (colon-separated list)
     -client_sigalgs arg - Signature algorithms to support for client
                           certificate authentication (colon-separated list)
     -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
     -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)
     -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
     -use_srtp profiles - Offer SRTP key management with a colon-separated profile list
     -keymatexport label   - Export keying material using label
     -keymatexportlen len  - Export len bytes of keying material (default 20)
    XG430_WP02_SFOS 18.5.4 MR-4-Build418#

    From Client with openssl 1.1.1q:

    PS C:\OpenSSL-Win32\bin> .\openssl version
    OpenSSL 1.1.1q  5 Jul 2022
    
    PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect d2.sophosupd.com:443 -tls1 -CAfile C:\temp\GSRootR3.cer
    CONNECTED(000001EC)
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
       i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
     1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
       i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
     2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
       i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    
    issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    
    ---
    No client certificate CA names sent
    Peer signing digest: MD5-SHA1
    Peer signature type: RSA
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4815 bytes and written 263 bytes
    Verification: OK
    ---
    New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : ECDHE-RSA-AES256-SHA
        Session-ID: 7E8CB2BA938A446C1C203B545FD30A60B8A5A661438703435C30116BB6BB02C4
        Session-ID-ctx:
        Master-Key: 1B574C14091456DF9BA3707F06CBB0F88C69A24C5A3D57DDDA795B10C9292A15FD99B1AD66900AD4086760F8F72C70D9
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - 14 c8 e2 ea 92 9c 83 b2-2b cc 68 12 14 e1 17 71   ........+.h....q
        0020 - 01 9c 9a e0 65 d2 74 a9-f0 b9 25 28 6b dd ab ef   ....e.t...%(k...
        0030 - c1 52 3d 62 ff 09 6d 3b-fc 16 b9 c5 51 ce ff bc   .R=b..m;....Q...
        0040 - 43 83 fa ca e1 67 4a 9f-37 2c a0 d8 72 50 99 e3   C....gJ.7,..rP..
        0050 - 86 26 7f 3f 3e e6 85 ea-a9 1e 63 a6 47 d6 57 98   .&.?>.....c.G.W.
        0060 - 28 ab 1b c4 c3 c5 c6 91-36 e6 8d 69 97 b2 81 f1   (.......6..i....
        0070 - c6 0a d0 12 ef a4 81 6b-71 27 d3 d3 96 ad f3 30   .......kq'.....0
        0080 - c0 ba 7a dc 4d f6 b6 94-4f 6a ce f8 b2 57 cb 25   ..z.M...Oj...W.%
        0090 - 99 fc 40 d0 3d 9a ed 21-3d 80 1f 4f 98 01 2f 6b   ..@.=..!=..O../k
        00a0 - 41 bc 51 3a 3b f2 ab 0e-1b ee ad 6d e9 29 5d d5   A.Q:;......m.)].
        00b0 - d5 78 6c d0 36 fd 92 61-ab cf cc 0e d3 4e f1 35   .xl.6..a.....N.5
    
        Start Time: 1659696048
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    closed
    PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect d2.sophosupd.com:443 -tls1_1 -CAfile C:\temp\GSRootR3.cer
    CONNECTED(000001F0)
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
       i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
     1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
       i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
     2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
       i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    
    issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    
    ---
    No client certificate CA names sent
    Peer signing digest: MD5-SHA1
    Peer signature type: RSA
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4831 bytes and written 279 bytes
    Verification: OK
    ---
    New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.1
        Cipher    : ECDHE-RSA-AES256-SHA
        Session-ID: AF22A74F81A0D45796CFFEE9102EB52E873E57D089433687031228E424AB2CCD
        Session-ID-ctx:
        Master-Key: EE6098397E1B05F92FF9F32E3C68FC4E8FF551C72BAF4A703A0EF8A9881D459607A77A215C945B258E11E7A25F365F61
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - e6 63 a6 2a 7b 01 60 48-60 64 2c 6d 5f c2 44 e7   .c.*{.`H`d,m_.D.
        0020 - 97 72 d0 88 70 1a e3 04-de 11 6d 49 bb 87 20 f9   .r..p.....mI.. .
        0030 - 00 32 08 a7 a0 92 13 43-1e dc c9 36 06 c0 aa 7b   .2.....C...6...{
        0040 - 5c fa 26 a6 6f f1 a1 71-db c0 33 68 a1 09 f4 ef   \.&.o..q..3h....
        0050 - 3f f8 1e 63 cc 5e c2 8f-f3 68 d2 65 6f c4 33 d5   ?..c.^...h.eo.3.
        0060 - 46 a7 44 07 23 57 ff 5a-de 34 b6 13 52 4b 92 9f   F.D.#W.Z.4..RK..
        0070 - 1e 69 36 95 64 bd 21 71-b7 60 13 70 f2 af ed 84   .i6.d.!q.`.p....
        0080 - 00 96 26 09 69 87 d7 f8-35 37 54 0a c7 9d 99 00   ..&.i...57T.....
        0090 - 5c 38 c6 ca 74 18 0c d8-d7 9e 5b 4e d3 7f bc 00   \8..t.....[N....
        00a0 - 8b 5a 93 18 ef 87 09 c2-be 20 b0 80 d9 1f 9f 34   .Z....... .....4
        00b0 - e8 6a e7 73 b1 48 79 06-1f c8 12 b1 b2 59 82 49   .j.s.Hy......Y.I
    
        Start Time: 1659696075
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    closed
    PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect d2.sophosupd.com:443 -tls1_2 -CAfile C:\temp\GSRootR3.cer
    CONNECTED(000001EC)
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
       i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
     1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
       i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
     2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
       i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    
    issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4809 bytes and written 345 bytes
    Verification: OK
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 538440B83F9F4D57F39E95F6E82C88FA2D48DB8FBAC745B023E227D514382898
        Session-ID-ctx:
        Master-Key: FB3B9D26D12600BCB6F29B72ACC69A93EADB66917A02EAAD6AABB8E2DC7A5FD65543806784CFDD187216FC3987EE5539
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - d6 a9 1f 19 05 dd 90 6c-2e b5 52 87 a2 ff 9c 0d   .......l..R.....
        0020 - 18 6d 8b 92 8d 98 0e 32-06 ac aa 8c 2c 5c 2f 8a   .m.....2....,\/.
        0030 - 36 b2 89 a6 e5 d1 42 11-15 28 ef 60 5b 97 e6 ed   6.....B..(.`[...
        0040 - 34 14 e9 5e d8 52 0e 37-c2 4b 33 b5 58 07 b8 94   4..^.R.7.K3.X...
        0050 - 1e b9 a7 67 5c 82 bf 36-c3 8a 6c 1c d7 62 fa f7   ...g\..6..l..b..
        0060 - b4 eb 12 bd 5f 6f 46 5b-65 86 1d fc 5d 65 7b 3c   ...._oF[e...]e{<
        0070 - 00 a6 23 88 57 01 f6 6d-91 20 11 ab f9 82 6e c6   ..#.W..m. ....n.
        0080 - e0 4f 0b a3 3f 7c 86 4f-01 ca 69 2e e9 3a 58 b4   .O..?|.O..i..:X.
        0090 - f9 6a d1 3b d1 90 c8 26-a5 8f 0c a9 20 2f 2c 42   .j.;...&.... /,B
        00a0 - 60 b0 5e 52 5f 46 b4 2b-42 bb 8d 45 07 33 79 9e   `.^R_F.+B..E.3y.
        00b0 - 4b ed 97 07 6c 7b 19 65-45 e2 ca a1 8e 7b 27 88   K...l{.eE....{'.
    
        Start Time: 1659696105
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    closed
    PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect d2.sophosupd.com:443 -tls1_3 -CAfile C:\temp\GSRootR3.cer
    CONNECTED(000001EC)
    depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    verify return:1
    depth=0 C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    verify return:1
    ---
    Certificate chain
     0 s:C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
       i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
     1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
       i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
     2 s:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
       i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIHaTCCBlGgAwIBAgIMNitE0zuBDn+CsaamMA0GCSqGSIb3DQEBCwUAMFAxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSYwJAYDVQQDEx1H
    bG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODAeFw0yMjA0MjYxMjAxMDZaFw0y
    MzA1MjgxMjAxMDVaMGkxCzAJBgNVBAYTAkdCMRQwEgYDVQQIEwtPeGZvcmRzaGly
    ZTERMA8GA1UEBxMIQWJpbmdkb24xFzAVBgNVBAoTDlNPUEhPUyBMSU1JVEVEMRgw
    FgYDVQQDDA8qLnNvcGhvc3VwZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQCo1Q4mO6eFZRGqYbg3KRcJeNoXEAGdDy3pAo5KXXNByhhfj5YRPXu/
    3ZlL1mR+ruILQFo96ayjeRfR95GQxLxl/nHN8yVnL9GxX7AAzwD2RmwBAtOFKlh6
    OqW6Lye26Wp3mS/GL91Nyon70w5VQn1D5cnlwYlUzz5+gCkmc3zkTUb4CWmNMfRf
    VToi/XrolYttsr/cD8TNBWWP+E7bya1Zn6yfewIL1u7MM5tIYa3XAqTcshALIXlc
    htpJhC5iM+BKE4KzJNq4u9fMUVIh5iMTp7sYZx/tOhQgtNN6gG3Ov8/eA4Pt4bKw
    f8fhHnFz9POsguuPsKMdLjtmr/XG1H6rAgMBAAGjggQoMIIEJDAOBgNVHQ8BAf8E
    BAMCBaAwgY4GCCsGAQUFBwEBBIGBMH8wRAYIKwYBBQUHMAKGOGh0dHA6Ly9zZWN1
    cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzcnNhb3Zzc2xjYTIwMTguY3J0MDcG
    CCsGAQUFBzABhitodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9nc3JzYW92c3Ns
    Y2EyMDE4MFYGA1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0
    dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJ
    BgNVHRMEAjAAMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwuZ2xvYmFsc2ln
    bi5jb20vZ3Nyc2FvdnNzbGNhMjAxOC5jcmwwgf0GA1UdEQSB9TCB8oIPKi5zb3Bo
    b3N1cGQuY29tghdjbG91ZC1hc3NldHMuc29waG9zLmNvbYIXZGV2LWRvd25sb2Fk
    LnNvcGhvcy5jb22CD2RvY3Muc29waG9zLmNvbYITZG93bmxvYWQuc29waG9zLmNv
    bYIUZG93bmxvYWRzLnNvcGhvcy5jb22CHHRlc3QtY2xvdWQtYXNzZXRzLnNvcGhv
    cy5jb22CGHRlc3QtZG93bmxvYWQuc29waG9zLmNvbYITcGFja2FnZXMuc29waG9z
    LmNvbYIVKi5wYWNrYWdlcy5zb3Bob3MuY29tgg1zb3Bob3N1cGQuY29tMB0GA1Ud
    JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT473/yzXhnqN5v
    jySNiPGHAwKz6zAdBgNVHQ4EFgQU77WAnbcQ83N9bJ8/LOhDUOojMSgwggF8Bgor
    BgEEAdZ5AgQCBIIBbASCAWgBZgB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nh
    d31tBr1uAAABgGW/J3EAAAQDAEcwRQIgMC3ZK7ScQjbToHa4ZCUZN3+kDYrRhS8I
    5GT6lW57LBsCIQD4X+oLztoKCzRr0fm4A4nEri2lBoO5+AJ2TXLdWIIVfgB1AG9T
    dqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgGW/JjwAAAQDAEYwRAIg
    C6QodJMYmAwdpekHo3N7Nk+M1xydcZOlwXCcj/c8BvsCICrTAkpjypPHbmmUt/y0
    tlILO9tFa+jphTtGrwNUpjHpAHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6Oq
    HQcT0wwAAAGAZb8nawAABAMARjBEAiBQxD3Zka0ir4VfXSuFtrTLvuRp4/ySXf8w
    +1m/QwANdgIgUjLKUeItOnpIqcphbrrOJmJS7LmMtYUvljpuQnCexwUwDQYJKoZI
    hvcNAQELBQADggEBABatibke1kf+lQQfSfq6diUekK/RqSeB2Y9WUYphEqvd03ce
    RimwHDd4V8YJG8vpmFr591IQm2GkRYIWzMXX0d+SkgMagx6wqk241M9qk3S4tPxG
    oa14A+oyaYes8zNw6mY70TGzTuHAnwJIzZCx9O6lokagx+mxj7WMH1qe68fg++xJ
    4Cx0hC0K8sd2ael042wNKHNuxoHavnkQq6t3+PJjBOSHZwbwjp6wLbKBaO1Fgtbn
    JZ7GfFk0q4x0gi3iLWoBOTO8fvtF0b1GNbuNG1uinHfc0BmtDpYtGd1g+yHNGQHI
    Si4LARlyXy8t9qkWLW83k4ljhVY2/3QPalJumP8=
    -----END CERTIFICATE-----
    subject=C = GB, ST = Oxfordshire, L = Abingdon, O = SOPHOS LIMITED, CN = *.sophosupd.com
    
    issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA OV SSL CA 2018
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 4693 bytes and written 320 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 8EBBE419B45A945A58E95C9875A00D58B0356517B99CE3B6607461278B8C4E86
        Session-ID-ctx:
        Resumption PSK: B08D1F520E0ACD4C25461835C54836D17E87739F3DDF1E1DC465B412C0DDBC9EE80DB0131526EA2B6CF03B643EC16C17
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - 1c 61 37 62 97 67 75 bc-db 6d a9 cc 74 12 5b 50   .a7b.gu..m..t.[P
        0020 - 3a 7b 32 41 2c 7c e2 9d-1d 83 62 8a f6 3d e5 51   :{2A,|....b..=.Q
        0030 - ba 38 46 bc 3d f7 b4 ed-ff fe d4 e7 0d 33 29 72   .8F.=........3)r
        0040 - 0b 84 ea 5f 42 9b 6c b0-4b 12 9b 34 00 06 c0 46   ..._B.l.K..4...F
        0050 - 8e 65 89 c4 8d 5b 9a e3-75 0a 70 59 9a 9f 57 84   .e...[..u.pY..W.
        0060 - ec 3a 8e c7 10 0e 4c e9-75 7f b8 03 dc a7 6b f4   .:....L.u.....k.
        0070 - 0a e3 fb c0 e0 19 01 58-2b 1b d2 72 b1 42 b7 e7   .......X+..r.B..
        0080 - 78 dc e5 ca 23 68 a1 22-ad b0 b7 07 29 1d a4 59   x...#h."....)..Y
        0090 - 09 a0 d8 a9 b8 36 b6 b6-52 c5 4c 9e 83 19 93 b2   .....6..R.L.....
        00a0 - d7 30 1d 23 36 05 2d aa-c9 61 57 a2 84 44 c3 e3   .0.#6.-..aW..D..
        00b0 - 2a 35 c1 8c cd 49 c7 5f-d9 52 ba 2b ca 71 aa 87   *5...I._.R.+.q..
        00c0 - b3 16 fe b7 6f 6b 42 f8-82 0e 7b 0f 3c db 6d 49   ....okB...{.<.mI
        00d0 - fa ea 7d 63 71 4e 4a 06-33 ad 81 9b 20 a0 d0 25   ..}cqNJ.3... ..%
    
        Start Time: 1659696152
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 2863DB84C4B64635CE69AD0C4041B62A7B151B0FEBD9C3BC5D43D3D74F3D4A46
        Session-ID-ctx:
        Resumption PSK: A67DFA811992087565BB419F32E51FE35E1F52E190CA3E357E1A9249C113E89BFAABB3B151C62E49861A9972BDC522F0
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 83100 (seconds)
        TLS session ticket:
        0000 - 00 00 35 77 44 4d e7 17-10 67 a1 8a e8 5a 80 e9   ..5wDM...g...Z..
        0010 - 9e cb 2c ea 24 b4 f9 d6-50 f8 ad 9c cf 74 83 4d   ..,.$...P....t.M
        0020 - a0 62 d0 e0 fc cc ca f8-bf cf fa e8 81 33 8c bc   .b...........3..
        0030 - 93 aa 1e 05 9f b0 b8 1e-c9 1f 64 37 49 7f a4 20   ..........d7I..
        0040 - be bd f6 4c ea d8 b3 11-e1 3d 74 6d ef fb db 6f   ...L.....=tm...o
        0050 - b4 6b db 83 7d 5a a6 93-bf cc 88 95 48 0f 54 78   .k..}Z......H.Tx
        0060 - 4b 7e ec 23 2e cc 1e 53-fc d8 65 fa be f0 b5 40   K~.#...S..e....@
        0070 - e6 e2 40 c7 cc 51 a6 b7-2e e5 1a 04 73 96 d4 39   ..@..Q......s..9
        0080 - 20 94 40 a3 00 df cc 45-27 45 8d 8b 17 59 48 c0    .@....E'E...YH.
        0090 - c1 35 53 b2 da a7 e6 2a-69 51 d5 82 31 dd 53 5c   .5S....*iQ..1.S\
        00a0 - 47 40 bf db f8 8f 95 45-e7 47 f0 e3 18 c1 cf 8c   G@.....E.G......
        00b0 - 7c 2e dc a5 cf 8d 0e 45-13 11 aa c3 4c c0 59 0b   |......E....L.Y.
        00c0 - da cb 46 4f df 19 b7 d3-7d 8f 2e 39 95 6b d7 20   ..FO....}..9.k.
        00d0 - 3c 71 81 2b 33 c9 4a 0f-fd a9 23 1d 4f 4a 2f dc   <q.+3.J...#.OJ/.
    
        Start Time: 1659696152
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK
    closed

    So I found the Sophos Endpoint does not scan the connection when running the openssl command while it does when accessing the URL with browser. And the XG produces the error in TLS log when accessing with TLS 1.3.

  • Yup as I suspected when the communication via openssl done from the XG it fails
    XG430_WP02_SFOS 18.5.4 MR-4-Build418# openssl s_client -connect d2.sophosupd.com:443 -tls1_3
    unknown option -tls1_3
    usage: s_client args
    But the same is a success from the powershell !
    PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect d2.sophosupd.com:443 -tls1_3 -CAfile C:\temp\GSRootR3.cer
    CONNECTED(000001EC)

    Hence casue of this it might generate an error when communication is established on TLS1.3 

    I would suggest raise a service request with the sophos support and mention all this data analysis !! 
    If they manage it to fix the connection without errors for TLS1.3 then may be this error on the GUI logs will be rectified too

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • thanks Vivek. Will file an other case. hope they collect what they need before my holidays.

    upd.: case 05579468

  • You're welcome  
    Yup fingers crossed

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data