Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 4139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The Certificate REDS use

n8xja
Recently a PCI report flagged that on port 3400, the certificate on the server side was "self signed" which seemed to be a problem.

We purchased a cert - and uploaded it, configured webmin to use it. So far, so good!

Is there anyway to have the new cert be the same cert that is used by the ASG to when listening on port 3400? The box is currently running 8.309.

Thanks


This thread was automatically locked due to age.
  • 0
    The RED clientserver uses certificates signed by the Sophos UTM itself with a local root authority, and does not use the certificate that you upload. This is the expected behaviour.
  • 0
    To underline Peter's response, port 3400 is not used by the for anything other than connecting a proprietary device with a proprietary protocol, so there's no reason to have a publicly-verifiable cert.  In fact, having a self-signed cert might actually decrease the chance of someone hacking any given connection.  If the PCI folks won't give you a pass quickly, hire someone else the next time, and let them know why you fired the last company.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Bob answered this well; in this case, I agree, a publicly-signed cert might actually be less secure for this one purpose than a privately signed one.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Thank you for the feedback - I couldn't agree more that in this case, the self signed cert enhances the RED's ability to know and spot man-in the middle attacks.  I'll advise my customer in the morning accordingly.
Unfiltered HTML