Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 42 subscribers
  • Views 6360 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Certificate automatically included by WAF of Sophos Firewall?

Markus Quirmbach

Hi everyone!

We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1).

We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate.

But, when we check the site with a tool like https://www.ssllabs.com/ssltest/ we see that the server (e.g. the Sophos Firewall) also sends the root certificate. Which is not what we want and which we don't see when we check sites like microsoft.com.

Are we correct to assume that this is done by the XGS? Is that intentional? Is there a way to circumvent this?

Thanks!

Best regards,

  Markus



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Markus Quirmbach

    Hi   My belief is that it is expected as sometimes not sending a complete chain for CA, may failing some of the PCI scans results but let us take additional input from AttilaKovacs & on the same if they have any additional comments on it.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Hi ,

    have you heard anything new from and/or  ?

    Thanks!

      Markus

  • +1 in reply to Markus Quirmbach

    Hi Markus,

    Yes, it is intentional. If a certificate is signed by a valid root CA that is part of the CA package available to XG (which should be the case in most scenarios) then WAF will always return the full certificate chain.

    This is the expected behavior, returning a partial chain is flagged by most test tools as a potential security vulnerability, and thus an automatic PCI scan failure.

    At the moment there is no option to influence this behavior.

    I understand the concern about the added latency, however, the impact in real life should be negligible on today's hardware.

    Regards,

    Attila Kovacs

  • 0 in reply to AttilaKovacs

    Hi Attila,

    thanks for the fast answer!

    Ok, that helps a lot. So it is intentional. But could you please clarify the following?

    "If a certificate is signed by a valid root CA that is part of the CA package available to XG ]...] then WAF will always return the full certificate chain."

    We explicitly uploaded a certificate to the XGS without the root certificate in the chain. Shouldn't the XGS then omit that root certificate? Or is the XGS returning that root certificate because it is known by the XGS (since it is a global CA)?

    "returning a partial chain is flagged by most test tools as a potential security vulnerability, and thus an automatic PCI scan failure."

    Well, as you can see by the screenshot I posted the test tool by ssllabs marks the chain because it contains the CA. Or am I seeing this wrong?

    Thank you very much!

       Markus

  • +1 in reply to Markus Quirmbach

    Hi Markus,

    If you upload a certificate without a root, but that root is available in XG's CA package then it will pick it up from there automatically. I think this was added exactly to avoid a scenario where ssllabs lowers your rating because you forgot to add your root in the chain before uploading.

    I think what ssllabs is trying to tell in your screenshot is that there is a root included in the chain which matches the one that is in their trust store, thus it's OK. I don't see an indication that they lowered your rating because of this, so I think this message can be ignored.

    Regards,

    Attila

Unfiltered HTML