Hi everyone!
We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1).
We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate.
But, when we check the site with a tool like https://www.ssllabs.com/ssltest/ we see that the server (e.g. the Sophos Firewall) also sends the root certificate. Which is not what we want and which we don't see when we check sites like microsoft.com.
Are we correct to assume that this is done by the XGS? Is that intentional? Is there a way to circumvent this?
Thanks!
Best regards,
Markus
Hi Markus Quirmbach
You may refer to the below KBA:
https://support.sophos.com/support/s/article/KB-000036242?language=en_US
Thanks and Regards
"Sophos Partner: Infrassist Technologies Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.
@ Bharat: That KBA does not help him answering his question
Mit freundlichem Gruß, best regards from Germany,
Philipp Rusch
New Vision GmbH, GermanySophos Silver-Partner
Markus Quirmbach What is the reason you don't like the root cert to be sent?
Is the CA from the certifcate path availabe on your FW?
I, f.i. had to upload the CA of my Let's Encrypt certificates.
Hi, thanks for your answer!Unfortunately, the KBA does not include my problem. But thanks anyway, it might be a good guide for future issues!
And SSL Labs shows ISRG Root X1 as the CA, not my Sohos FW.
Hi Philipp!Thanks for the answer.Well, if I read this: https://success.qualys.com/discussions/s/question/0D52L00004TntxaSAB/chain-issue-contains-anchor("Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain" [...] "that the extra certificate (which serves no purpose) is increasing the handshake latency")andhttps://whatsmychaincert.com/("You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.") it is best practice to not sent the root certificate, as far as I understand it. The root cert should always already be known by the client.And, as I wrote, other professional sites do not sent the root cert, like Microsoft or Google. That's a further sign that it should not be sent by the Sophos Firewall.
Hi, thanks for the input.Yes, the CA is already available in the FW. The certificate in question is a "normal", bought certificate from a certificate retailer. The CA is a globally known root CA. It's not a Let's Encrypt certificate.
Hello,
any news/suggestions on this?
Can someone at least clarify if this is an intentional behavior by Sophos Firewall?
Hi Markus Quirmbach My belief is that it is expected as sometimes not sending a complete chain for CA, may failing some of the PCI scans results but let us take additional input from AttilaKovacs & bobbylamon the same if they have any additional comments on it.
Regards,Vishal RanpariyaTechnical Account Manager | Sophos Technical SupportSophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link.