3CX DLL-Sideloading attack: What you need to know
We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1).
We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate.
But, when we check the site with a tool like https://www.ssllabs.com/ssltest/ we see that the server (e.g. the Sophos Firewall) also sends the root certificate. Which is not what we want and which we don't see when we check sites like microsoft.com.
Are we correct to assume that this is done by the XGS? Is that intentional? Is there a way to circumvent this?
have you heard anything new from AttilaKovacs and/or bobbylam ?
Yes, it is intentional. If a certificate is signed by a valid root CA that is part of the CA package available to XG (which should be the case in most scenarios) then WAF will always return the full certificate chain.
This is the expected behavior, returning a partial chain is flagged by most test tools as a potential security vulnerability, and thus an automatic PCI scan failure.
At the moment there is no option to influence this behavior.
I understand the concern about the added latency, however, the impact in real life should be negligible on today's hardware.
thanks for the fast answer!
Ok, that helps a lot. So it is intentional. But could you please clarify the following?
"If a certificate is signed by a valid root CA that is part of the CA package available to XG ]...] then WAF will always return the full certificate chain."
We explicitly uploaded a certificate to the XGS without the root certificate in the chain. Shouldn't the XGS then omit that root certificate? Or is the XGS returning that root certificate because it is known by the XGS (since it is a global CA)?
"returning a partial chain is flagged by most test tools as a potential security vulnerability, and thus an automatic PCI scan failure."
Well, as you can see by the screenshot I posted the test tool by ssllabs marks the chain because it contains the CA. Or am I seeing this wrong?
Thank you very much!
If you upload a certificate without a root, but that root is available in XG's CA package then it will pick it up from there automatically. I think this was added exactly to avoid a scenario where ssllabs lowers your rating because you forgot to add your root in the chain before uploading.
I think what ssllabs is trying to tell in your screenshot is that there is a root included in the chain which matches the one that is in their trust store, thus it's OK. I don't see an indication that they lowered your rating because of this, so I think this message can be ignored.