Overview
Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due certificate AddTrust External CA Root expired on May 30th 2020
An issue occurs cause OpenSSL checks the certificate chain path which leads to an expired 'AddTrust External CA'. Hence you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user
If you have a site that has an expired certificate and is processed by Sophos UTM web proxy it would block the website by default.
Here is a sample of the packet capture when the remote server would present the CA certificate which has expired.
If the certificate which is expired is presented to Sophos UTM web proxy, it would check for validation of the certificate and would determine if it's valid or not. In this case, it would be blocked by default.
You may also observe such indication in HTTP.log "url="https://example.com/" referer="" error="Failed to verify server certificate""
More info available here: https://community.sophos.com/kb/en-us/135542
This thread was automatically locked due to age.