Thread Info
  • Locked Locked
  • Replies 51 replies
  • Subscribers 25 subscribers
  • Views 78135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Version 9.508 - report on experience

Alexander Busch

Version 9.508 is released:

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released

Maybe we could collect some reports about problems or hopefully no problems. Maybe please tell us about the modules (Network, Web, WAF, Mail, WLAN..) you use if you successful updated to 9.508.

Best
Alex

P.S. With the production system, I'll wait a little bit ;-)



This thread was automatically locked due to age.
  • in reply to Alexander Busch

    Alexander Busch said:

    As stated in 3, one should get certificates with the appropriate algorithm. Does anybody know how to check which algorithm was used in an existing certificate? So should I ask the CA to re-issue my certificate and everything is fine?

     

    Sure...

    openssl x509 -in YOURSMIMECERT.CER -text |grep "Signature A"

  • in reply to imion

    The answer of a cert reseller

    Guten Tag Herr Busch,

    der Algorithmus RSASSA-PSS wird aktuell noch von keinem Zertifizierer unterstützt. Die EDI hat die Pflicht diesen Algorithmus zu nutzen vom 01.01.18 auf den 01.01.19

    aufgrund der nicht vorhandenen Abdeckung, verschoben. Hier bitte nochmal bei Sophos nachhacken, ob der allgemeine Marktsstandard RSA-SHA-256 weiterhin verwendet werden kann.

    Aktuell ist auch noch kein näherer Zeitpunkt bekannt an dem der neue Algorithmus  verfügbar sein wird.

    Translated

    Hello Mr. Bush,

    the algorithm RSASSA-PSS is not currently supported by any certifier. The EDI has the obligation to use this algorithm from 01.01.18 to 01.01.19.

    .

    due to the non-existent cover. Please check with Sophos again to see if the general market standard RSA-SHA-256 can still be used.

    At the moment we do not know when the new algorithm will be available.

    So no certificate is available in the market to work with the UTM. Is that the result or did I get something wrong?

    Best

    Alex

    -

  • in reply to Alexander Busch

    4 German:

    https://www.bundesnetzagentur.de/DE/Service-Funktionen/Beschlusskammern/Beschlusskammer7/BK7_73_Messwesen_Energie/Mitteilungen_zu_BK6_16_200_BK7_16_142/Mitteilung_Nr_7/Anlagen/Regelungen_Uebertragungsweg_1.1_2017_12_12.pdf?__blob=publicationFile&v=3

    • Alle bis zum 31.12.2017 ausgestellten Zertifikate sind mit den Signaturalgorithmen sha-256RSA oder sha-512RSA (Signaturverfahren RSASSA-PKCS1-v1_5) zu signieren. Ab dem 01.01.2018 bis zum 31.12.2018 neu ausgestellte Zertifikate sind entweder mit dem Signaturverfahren RSASSA-PKCS1-v1_5 (Signaturalgorithmen sha-256RSA oder sha-512RSA) oder RSASSA- PSS zu signieren, wobei bei der Verwendung von mit RSASSA-PSS signierten Zertifikaten zunächst beide beteiligten Marktpartner zustimmen müssen. Diese Zertifikate sind bis zur maximalen Zertifikatsgültigkeit (maximal 3 Jahre) im Interimsmodell der Marktkommunikation verwendbar.

    • Alle ab dem 01.01.2019 neu ausgestellten Zertifikate müssen mit RSASSA-PSS signiert sein.

  • in reply to imion

    Mag sein, es gibt nur scheinbar keine CA, welche dies bietet. Und wenn selbst Outlook 2016 die Signatur nicht verifiziert, dann ist dies am Markt vorbei. Ich bin echt gespannt wie andere Lösungen damit umgehen.

    My wishlist would be to have a manuel switch to revert back to the existing algorithms.

    -

  • After the update, I have site to site vpn connection issue. The vpn connection status is up, but i cant reach our amazon vpc server. I have tried to delete the connection and setup again. But still cant access.

     

  • Upgraded to 9.508 on two SG230 in HA.

    Using WEB filtering, Mail antispam, 12 access points, Site to Site VPN and client VPN so far no issues with that.

    However, the mail quarantine emails the clients get do not release or whitelist anymore on some clients (windows 10).  The web page that opens saying you released the email  now says and the email does not show up in the clients email:

    Can’t connect securely to this page

    This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

    Try this:

  • About encrypting...

    OK, I've got a nice talk with one of the better expensive bigger CAs.

    They gave me some infos 2 the tech specs behind the new algorithm. Now I'm sure this may be a better security but dosn't mean the old one isn't much less secure.

     

    No one there may understand why sophos did this without any announcement. They tolled me that they actually speaking 2 Sophos about this issue and try 2 find any kind of solution 4 this but the also said this solution won't be a change of algorithm!

     

    In my opinion the only solution would be 2 support both...

     

    ...oh yes, there may be a chance that small local CAs will use this algorithm but never ever the big global players...

  • Regarding the new Mail encryption we got the following information from one recipients IT dept. where signed Mails get blocked from their Gateway:

    "nicht unsere SPAM-Firewalls blockieren diese Mails, sondern das dahinterliegende E-Mailverschlüsselungsgateway, welches die S/Mime Signatur als nicht RFC konform bemängelt und daher die Mails ablehnt."

    => Sophos´ encryption is not RFC conformal and thus blocked by their gateways

  • in reply to Christian Kirchner

    Christian Kirchner said:

     

    => Sophos´ encryption is not RFC conformal and thus blocked by their gateways

     

     

    Official or Sophos CA?

  • in reply to imion

    Sophos CA, certs (now SHA512) were recreated after the update. We did not create a new CA cert as this would break many things like ssl proxy etc.

     

    NDR from the external MTA looks like this:

    X-ASG-Debug-ID: 1520<removed>f0001-PIMyqA
    Received: from <removed> by <removed> with ESMTP id n3UkXHeBZrv8SwzT (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <<removed>; Wed, 07 Mar 2018 10:18:59 +0100 (CET)
    X-Barracuda-Envelope-From: <removed>
    X-Barracuda-Effective-Source-IP: <removed>
    X-Barracuda-Apparent-Source-IP: <removed>
    X-CTCH-RefID: str=0001.0A0C0207.5A9FABF0.0349,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    From: "<removed>>
    To: "<removed>
    Subject: <removed>
    X-ASG-Orig-Subj: F<removed>
    Thread-Index: AdO18lbdXnyz7fldQ2+CJClq+1bY/g==
    Date: Wed, 7 Mar 2018 09:07:59 +0000
    Message-ID: <26c8089a06e249a5bc07ae9ed7f69e<removed>>
    Accept-Language: de-DE, en-US
    X-MS-Has-Attach: yes
    X-MS-TNEF-Correlator:
    x-ms-exchange-transport-fromentityheader: Hosted
    x-originating-ip: [fd30:dd2b:<removed>]
    MIME-Version: 1.0
    Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----59E2778A23B1E9BEB26990735606E06C"
    X-Barracuda-Connect: <removed>
    X-Barracuda-Start-Time: 1520414339
    X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384
    X-Barracuda-URL: https://m<removed>mark.cgi
    X-Barracuda-BRTS-Status: 1
    X-Virus-Scanned: by bsmtpd at <removed>
    X-Barracuda-Scan-Msg-Size: 21889
    X-Barracuda-Spam-Score: 0.00
    X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=2.0 KILL_LEVEL=3.0 tests=BSF_SC0_MISMATCH_TO, HTML_MESSAGE
    X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.48677
                Rule breakdown below
                pts rule name              description
                ---- ---------------------- --------------------------------------------------
                0.00 HTML_MESSAGE           BODY: HTML included in message
                0.00 BSF_SC0_MISMATCH_TO    Envelope rcpt doesn't match header

    This is an S/MIME signed message

Unfiltered HTML