Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN issue on 2.3 version - Case 07368183

Case is not resolved. Please open the case.

Sophos team has migrated cyberoam to Sophos firewall & Its working properly from last 3years with Cyberaom certificate which expiry is 2036.

The issue is Sophos connect 2.3 is not working but 2.2 & 2.1 version is working proeprly.

The issue is in Sophos connect 2.3 version not in certificates. If the issue in the certificate then why its working in 2.2 and 2.1 version.

That means you guys have not updated everything in 2.3 version & even not informed to customer of your firmware update documentation.

I have logged the ticket & you guys told me regenerate the certificate but its not easy for me.. More than 100 users are connected with Sophos connect SSL VPN.

If I will regenerate the certificate then I will have to install VPN configuration on all the system again which is not possible for me to attend all the users. 

Its Sophso responsibility to resolve the customer issue on Sophos 2.3 version instead of change whole certificate... 2.3 version is not compatible with certificate.

We are not ready to change sophos certificate because of expiry is 2036. Please involve your senior team and solve the issue.

Thanks

Umesh



This thread was automatically locked due to age.
Parents
  • Hello Umesh,

    Regret to hear about your experience on this concern.

    We are now aware of your new support case - 07393422 and tracking progress on our end. 

    The latest activity of the engineer assigned to the case shows that he tried to reach out to your registered mobile number, but you were unable to answer.

    Could you please provide your availability on the case thread so the call can be arranged accordingly, 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Please connect now, I am available

  • I have shared logs with Haardikh. You can check via the below URL.

    easyupload.io/m/9pihu7

  • Hi   I reviewed the submitted logs and as suspected in my previous comment your issue is matching with ID NCL-1852 as per the logs.

    2024-06-17 13:34:30 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=IN, XXXXXX.... 
    2024-06-17 13:34:30 Sent fatal SSL alert: bad certificate
    2024-06-17 13:34:30 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
    2024-06-17 13:34:30 TLS_ERROR: BIO read tls_read_plaintext error
    2024-06-17 13:34:30 TLS Error: TLS object -> incoming plaintext

    Since OpenVPN has been updated in the Sophos Connect 2.3 client, it fails to connect to SSL VPN behind Sophos XG when the server certificate authority uses a weak signature algorithm like SHA1.

    The Sophos Connect 2.2 client is not affected as it still accepts SHA1.

    You will also receive an update on the support case with the next POA/workaround details.

    I hope the above information and clarification will help you with this.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hi   I reviewed the submitted logs and as suspected in my previous comment your issue is matching with ID NCL-1852 as per the logs.

    2024-06-17 13:34:30 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=IN, XXXXXX.... 
    2024-06-17 13:34:30 Sent fatal SSL alert: bad certificate
    2024-06-17 13:34:30 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
    2024-06-17 13:34:30 TLS_ERROR: BIO read tls_read_plaintext error
    2024-06-17 13:34:30 TLS Error: TLS object -> incoming plaintext

    Since OpenVPN has been updated in the Sophos Connect 2.3 client, it fails to connect to SSL VPN behind Sophos XG when the server certificate authority uses a weak signature algorithm like SHA1.

    The Sophos Connect 2.2 client is not affected as it still accepts SHA1.

    You will also receive an update on the support case with the next POA/workaround details.

    I hope the above information and clarification will help you with this.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Children