SSL Inspection - Websites showing up as Insecure despite having added Appliance Root CA

Hello Stephen, 

Good day and thanks for reaching out to Sophos Community.

Could you follow this Community Recommended Read guide and see if it would help resolve your issue:  Sophos Firewall: Resolving "Not secure" error while browsing secure sites 

Many thanks for your time and patience and thank you for choosing Sophos.

Cheers,

I deployed this with inspection off temporarily.  Will try this when I get back to client site.

Sophos sites have built in TLS decryption exceptions, so they always work.

You could do the same and put support.lenovo.com to a local TLS exclusion Web Group, used in TLS for "do not decrypt", so you do not need an extra firewall rule for the traffic.

Hi,

I forgot about that little gotcha. I retested using my bank site and failed. I checked the W11 and it has the XG115W CA installed.

Ian

is it only with W11 and Edge?

I tested on W10 with Edge and the page loads, while decrypted by Firewall AND local Sophos Endpoint. Did not try to skip the Endpoint checks.

do you have this CA installed? because this is not build in.

I don't have a current W10 machine to test on, so at this stage it is W11, edge and firefox that all fail. I have the same CA installed on my apple devices without any issues, that is MBP (M1), mac air (M1), iPad, mac mini (intel) and two iPhones.

I will check for the certificate you have shown tomorrow.

Ian

great. this needs to be installed on the firewall so it can decrypt. browsers have it installed, but as they see the firewall CA only, it should not be an issue, if it was missing on the browser.

My test device is a w10 home version so not sure that it qualifies to test this issue on?
ian

Sometimes I have that issue, when installing the CA in the browser, the browser loads the old site from the cache in history instead of loading the site from scratch.

I would have to download the Eicar test file while using incognito mode in order to force the browser to get the file from the site instead of retrieving it from cache, for troubleshooting whether https inspection was really working or not.

An update, I finally found a W10 box that will update to the latest fixes etc from MS.

I have installed the XG115W CA in two places on the W10 box.

Results.

Access to the XG115W is still shown as insecure

Some sites work correctly including google, but not all.

Ian

An update, I finally found a W10 box that will update to the latest fixes etc from MS.

I have installed the XG115W CA in two places on the W10 box.

Results.

Access to the XG115W is still shown as insecure

Some sites work correctly including google, but not all.

Ian

I would think of a CA certificate at the wrong place or a 3rd Party Endpoint Security installed, checking HTTPS connections. Disabling "system application_classification" should not be required.

Info: Microsoft has switched to browser CA certificates in Edge. Just like firefox does.

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-cert-verification

In past versions of Microsoft Edge, both the default certificate trust list and the certificate verifier logic were provided by underlying operating system (OS) platform.

For managed devices, starting in Microsoft Edge 112 on Windows and macOS, both the default certificate trust list and the certificate verifier are provided by and shipped with the browser. This approach decouples the list and verifier from the host operating system's root store for the default verification behavior. See the rollout timeline and testing guidance for more detail about the timing of the change.

Even after the change, in addition to trusting the built-in roots that ship with Microsoft Edge, the browser queries the underlying platform for—and trusts—locally installed roots that users and/or enterprises installed. As a result, scenarios where a user or enterprise installed more roots to the host operating system's root store should continue to work.