Root Certificate automatically included by WAF of Sophos Firewall?

Question

Hi everyone! 
 We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1). 
 We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate. 
 But, when we check the site with a tool like https://www.ssllabs.com/ssltest/ we see that the server (e.g. the Sophos Firewall) also sends the root certificate. Which is not what we want and which we don't see when we check sites like microsoft.com. 
 
 Are we correct to assume that this is done by the XGS? Is that intentional? Is there a way to circumvent this? 
 Thanks! 
 Best regards, 
 Markus

AttilaKovacs · Accepted Answer

Hi Markus, 
 Yes, it is intentional. If a certificate is signed by a valid root CA that is part of the CA package available to XG (which should be the case in most scenarios) then WAF will always return the full certificate chain. 
 This is the expected behavior, returning a partial chain is flagged by most test tools as a potential security vulnerability, and thus an automatic PCI scan failure. 
 At the moment there is no option to influence this behavior. 
 I understand the concern about the added latency, however, the impact in real life should be negligible on today's hardware. 
 Regards, 
 Attila Kovacs

AttilaKovacs · Answer

Hi Markus, 
 If you upload a certificate without a root, but that root is available in XG's CA package then it will pick it up from there automatically. I think this was added exactly to avoid a scenario where ssllabs lowers your rating because you forgot to add your root in the chain before uploading. 
 I think what ssllabs is trying to tell in your screenshot is that there is a root included in the chain which matches the one that is in their trust store, thus it's OK. I don't see an indication that they lowered your rating because of this, so I think this message can be ignored. 
 Regards, 
 Attila

Root Certificate automatically included by WAF of Sophos Firewall?

Top Replies