Root Certificate automatically included by WAF of Sophos Firewall?

Hi Markus Quirmbach

You may refer to the below KBA: 

https://support.sophos.com/support/s/article/KB-000036242?language=en_US

Thanks and Regards

@ Bharat: That KBA does not help him answering his question

Markus Quirmbach What is the reason you don't like the root cert to be sent?

Is the CA from the certifcate path availabe on your FW?

I, f.i. had to upload the CA of my Let's Encrypt certificates.

Hi, thanks for your answer!
Unfortunately, the KBA does not include my problem. But thanks anyway, it might be a good guide for future issues!

And SSL Labs shows ISRG Root X1 as the CA, not my Sohos FW.

Hi Philipp!

Thanks for the answer.

Well, if I read this: https://success.qualys.com/discussions/s/question/0D52L00004TntxaSAB/chain-issue-contains-anchor

("Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain" [...] "that the extra certificate (which serves no purpose) is increasing the handshake latency")

and

https://whatsmychaincert.com/

("You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.")

it is best practice to not sent the root certificate, as far as I understand it. The root cert should always already be known by the client.
And, as I wrote, other professional sites do not sent the root cert, like Microsoft or Google. That's a further sign that it should not be sent by the Sophos Firewall.

Hi, thanks for the input.
Yes, the CA is already available in the FW. The certificate in question is a "normal", bought certificate from a certificate retailer. The CA is a globally known root CA. It's not a Let's Encrypt certificate.

Hello,

any news/suggestions on this?

Can someone at least clarify if this is an intentional behavior by Sophos Firewall?

Thanks!

  Markus

Hi Markus Quirmbach  My belief is that it is expected as sometimes not sending a complete chain for CA, may failing some of the PCI scans results but let us take additional input from AttilaKovacs & bobbylamon the same if they have any additional comments on it.