Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos SSL VPN issue on 2.3 version - Case 07368183

Case is not resolved. Please open the case.

Sophos team has migrated cyberoam to Sophos firewall & Its working properly from last 3years with Cyberaom certificate which expiry is 2036.

The issue is Sophos connect 2.3 is not working but 2.2 & 2.1 version is working proeprly.

The issue is in Sophos connect 2.3 version not in certificates. If the issue in the certificate then why its working in 2.2 and 2.1 version.

That means you guys have not updated everything in 2.3 version & even not informed to customer of your firmware update documentation.

I have logged the ticket & you guys told me regenerate the certificate but its not easy for me.. More than 100 users are connected with Sophos connect SSL VPN.

If I will regenerate the certificate then I will have to install VPN configuration on all the system again which is not possible for me to attend all the users. 

Its Sophso responsibility to resolve the customer issue on Sophos 2.3 version instead of change whole certificate... 2.3 version is not compatible with certificate.

We are not ready to change sophos certificate because of expiry is 2036. Please involve your senior team and solve the issue.



Edited TAGs
[edited by: Erick Jan at 7:29 AM (GMT -7) on 12 Jun 2024]
Parents Reply
  • Hi   I reviewed the submitted logs and as suspected in my previous comment your issue is matching with ID NCL-1852 as per the logs.

    2024-06-17 13:34:30 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=IN, XXXXXX.... 
    2024-06-17 13:34:30 Sent fatal SSL alert: bad certificate
    2024-06-17 13:34:30 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
    2024-06-17 13:34:30 TLS_ERROR: BIO read tls_read_plaintext error
    2024-06-17 13:34:30 TLS Error: TLS object -> incoming plaintext

    Since OpenVPN has been updated in the Sophos Connect 2.3 client, it fails to connect to SSL VPN behind Sophos XG when the server certificate authority uses a weak signature algorithm like SHA1.

    The Sophos Connect 2.2 client is not affected as it still accepts SHA1.

    You will also receive an update on the support case with the next POA/workaround details.

    I hope the above information and clarification will help you with this.


    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.