Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Certificate automatically included by WAF of Sophos Firewall?

Hi everyone!

We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1).

We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate.

But, when we check the site with a tool like https://www.ssllabs.com/ssltest/ we see that the server (e.g. the Sophos Firewall) also sends the root certificate. Which is not what we want and which we don't see when we check sites like microsoft.com.

Are we correct to assume that this is done by the XGS? Is that intentional? Is there a way to circumvent this?

Thanks!

Best regards,

  Markus



This thread was automatically locked due to age.
Parents
  • Is the CA from the certifcate path availabe on your FW?

    I, f.i. had to upload the CA of my Let's Encrypt certificates.

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • And SSL Labs shows ISRG Root X1 as the CA, not my Sohos FW.

     
    SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th  2023
    Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports
    [If any of my posts are helpful to you please use the 'Verify Answer' link]
  • Hi, thanks for the input.
    Yes, the CA is already available in the FW. The certificate in question is a "normal", bought certificate from a certificate retailer. The CA is a globally known root CA. It's not a Let's Encrypt certificate.

Reply Children
No Data