Version 9.508 is released:
Maybe we could collect some reports about problems or hopefully no problems. Maybe please tell us about the modules (Network, Web, WAF, Mail, WLAN..) you use if you successful updated to 9.508.
Best
Alex
P.S. With the production system, I'll wait a little bit ;-)
KBA with workaround is updated.
In case a third-party certificate with the new algorithms could not be fetched the old behaviour needs to be restored by using the old algorithms.
For that logon via ssh to the commandline ( cli) , get root and execute the following command: cc set smtp encryption_utility smime
After that the old algorithms are used again.
At any point in time later on its possible to switch to the new algorithms by
logging on to the cli and entering: cc set smtp encryption_utility cms
https://community.sophos.com/kb/en-us/131727
__________________________________________________________________________________________________________________
Sophos CA, certs (now SHA512) were recreated after the update. We did not create a new CA cert as this would break many things like ssl proxy etc.
NDR from the external MTA looks like this:
X-ASG-Debug-ID: 1520<removed>f0001-PIMyqA
Received: from <removed> by <removed> with ESMTP id n3UkXHeBZrv8SwzT (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <<removed>; Wed, 07 Mar 2018 10:18:59 +0100 (CET)
X-Barracuda-Envelope-From: <removed>
X-Barracuda-Effective-Source-IP: <removed>
X-Barracuda-Apparent-Source-IP: <removed>
X-CTCH-RefID: str=0001.0A0C0207.5A9FABF0.0349,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
From: "<removed>>
To: "<removed>
Subject: <removed>
X-ASG-Orig-Subj: F<removed>
Thread-Index: AdO18lbdXnyz7fldQ2+CJClq+1bY/g==
Date: Wed, 7 Mar 2018 09:07:59 +0000
Message-ID: <26c8089a06e249a5bc07ae9ed7f69e<removed>>
Accept-Language: de-DE, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [fd30:dd2b:<removed>]
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----59E2778A23B1E9BEB26990735606E06C"
X-Barracuda-Connect: <removed>
X-Barracuda-Start-Time: 1520414339
X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
X-Barracuda-URL: https://m<removed>mark.cgi
X-Barracuda-BRTS-Status: 1
X-Virus-Scanned: by bsmtpd at <removed>
X-Barracuda-Scan-Msg-Size: 21889
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=2.0 KILL_LEVEL=3.0 tests=BSF_SC0_MISMATCH_TO, HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.48677
Rule breakdown below
pts rule name description
---- ---------------------- --------------------------------------------------
0.00 HTML_MESSAGE BODY: HTML included in message
0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header
This is an S/MIME signed message
Regarding the new Mail encryption we got the following information from one recipients IT dept. where signed Mails get blocked from their Gateway:
"nicht unsere SPAM-Firewalls blockieren diese Mails, sondern das dahinterliegende E-Mailverschlüsselungsgateway, welches die S/Mime Signatur als nicht RFC konform bemängelt und daher die Mails ablehnt."
=> Sophos´ encryption is not RFC conformal and thus blocked by their gateways
About encrypting...
OK, I've got a nice talk with one of the better expensive bigger CAs.
They gave me some infos 2 the tech specs behind the new algorithm. Now I'm sure this may be a better security but dosn't mean the old one isn't much less secure.
No one there may understand why sophos did this without any announcement. They tolled me that they actually speaking 2 Sophos about this issue and try 2 find any kind of solution 4 this but the also said this solution won't be a change of algorithm!
In my opinion the only solution would be 2 support both...
...oh yes, there may be a chance that small local CAs will use this algorithm but never ever the big global players...
Upgraded to 9.508 on two SG230 in HA.
Using WEB filtering, Mail antispam, 12 access points, Site to Site VPN and client VPN so far no issues with that.
However, the mail quarantine emails the clients get do not release or whitelist anymore on some clients (windows 10). The web page that opens saying you released the email now says and the email does not show up in the clients email:
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.
Try this:
After the update, I have site to site vpn connection issue. The vpn connection status is up, but i cant reach our amazon vpc server. I have tried to delete the connection and setup again. But still cant access.
Mag sein, es gibt nur scheinbar keine CA, welche dies bietet. Und wenn selbst Outlook 2016 die Signatur nicht verifiziert, dann ist dies am Markt vorbei. Ich bin echt gespannt wie andere Lösungen damit umgehen.
My wishlist would be to have a manuel switch to revert back to the existing algorithms.
-
4 German:
Alle bis zum 31.12.2017 ausgestellten Zertifikate sind mit den Signaturalgorithmen sha-256RSA oder sha-512RSA (Signaturverfahren RSASSA-PKCS1-v1_5) zu signieren. Ab dem 01.01.2018 bis zum 31.12.2018 neu ausgestellte Zertifikate sind entweder mit dem Signaturverfahren RSASSA-PKCS1-v1_5 (Signaturalgorithmen sha-256RSA oder sha-512RSA) oder RSASSA- PSS zu signieren, wobei bei der Verwendung von mit RSASSA-PSS signierten Zertifikaten zunächst beide beteiligten Marktpartner zustimmen müssen. Diese Zertifikate sind bis zur maximalen Zertifikatsgültigkeit (maximal 3 Jahre) im Interimsmodell der Marktkommunikation verwendbar.
Alle ab dem 01.01.2019 neu ausgestellten Zertifikate müssen mit RSASSA-PSS signiert sein.
The answer of a cert reseller
—
Guten Tag Herr Busch,
der Algorithmus RSASSA-PSS wird aktuell noch von keinem Zertifizierer unterstützt. Die EDI hat die Pflicht diesen Algorithmus zu nutzen vom 01.01.18 auf den 01.01.19
aufgrund der nicht vorhandenen Abdeckung, verschoben. Hier bitte nochmal bei Sophos nachhacken, ob der allgemeine Marktsstandard RSA-SHA-256 weiterhin verwendet werden kann.
Aktuell ist auch noch kein näherer Zeitpunkt bekannt an dem der neue Algorithmus verfügbar sein wird.
—
Translated
Hello Mr. Bush,
the algorithm RSASSA-PSS is not currently supported by any certifier. The EDI has the obligation to use this algorithm from 01.01.18 to 01.01.19.
.
due to the non-existent cover. Please check with Sophos again to see if the general market standard RSA-SHA-256 can still be used.
At the moment we do not know when the new algorithm will be available.
—
So no certificate is available in the market to work with the UTM. Is that the result or did I get something wrong?
Best
Alex
-
