This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issue with IOS 13 & MAC OS 10.15 SSL Certificate Requirements for Transparent proxy

Hi All,

Apple have changed the validity requirments of certificates as detailed here:

https://support.apple.com/en-gb/HT210176

This has caused the transparent proxy on the UTM 9 to error on devices updated to IOS 13. Is there a way to configure or modify the man-in-the-middle certificate/template that is used by the UTM for automatically generated certificates to bring it into line with this new requirment?

From the quick checks I have done, it looks as though the issues are due to UTM issuing man-in-the-middle certs that are valid for 3 years, have a 1024 bit public keysize and do not have ExtendedKeyusage extension set to TLS Web Server Authentication.

Excerpt from the above article:

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

If anyone could point me to the location of the certificate template or mechanism of MIM certificate generation I would greatly appreciate it.

Edit: I have found a similar issue described in the XG forum. https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/115171/ssl_scanning_certificate-not-accepted-under-ios-13

Many thanks,

Rax



This thread was automatically locked due to age.
  • Guys, please get cases open with Sophos Support.  This is supposed to work in 9.7.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,

     

    is there any news here? Something to do with the settings in the UTM or a Bug?

     

    Cheers

  • It looks like a bug.

    I update to 9.7 and regenerated the certificate and have the same issue.

    I have logged a ticket with Sophos and am awaiting a response.

  • Did you check, if the certificate actually mets all apple requirements?

    Download the PEM and open it to verify, if everything is in place.

    https://support.apple.com/en-gb/HT210176

    __________________________________________________________________________________________________________________

  • Yes i checked. it doesn't meet the requirements. the keysize is 1024 when i click regenerate in the utm console. This is the issue.

    i followed the suggestion above by and manually generated a certificate to resolve the issue. This is a pain though. It would be nice to be able to click the button in the UTM and for it to work.

  • Me too  it is 1024bit, not the supposed 2048bit.

     

    Tested with the XG - here it works...

  • Hi Everyone,

    Apologies for not updating my own post. For context as to why I accepted this solution and haven't commented; I use XCA (Multi-platform GUI for OpenSSL) which I used to generate my SSL certs for home systems.

    As I have a Root CA already installed and trusted on all my home systems, I created a Subordinate CA for Sophos UTM using the recommended settings in the Apple article. This allows me to change the UTM Cert without having to update all my client devices as they will automatically trust it as an Issuer.

    I appreciate this may not help everyone.

    I use XCA as it allows me to manage and backup all my certifcates as it uses its own password protected database.

    Sophos need to update the Web Protection -> Filtering Options -> HTTPS CAs -> 'Regenerate' function to create 2048 bit keys for the certificate it uses from what has been described by fellow users.

    I'm sure its a straight forward option in a stored Function somewhere in thier code.

    Many thanks,

    Rax

  • Hi,

    I was wondering if anybody here has received any update on this from Sophos? I’m also having trouble with Apple devices which are running iOS 13.1.1 + and OSX 10.15. As others have stated here already, Apple have changed the requirements for certificates.

    Has anybody been able to generate a certificate for Sophos UTM https scanning, using the Windows environment? I have a trusted Windows CA in my environment in which I’d like to use to generate a certificate, but having real trouble on making any progress.

    Regards,
    Richard

  • The issue has been reported as bug with ID NUTM-11345 (Regenerated Signing CA using 1024bit key, causing iOS 13 trust issues).

    The fix is going to be released in the firmware version 9.7 MR1 (9.701).

    Which is most probably going to be released around Jan 14.

    Kind regards

    -- 

    Rolf

  • I can confirm that UTM 9.701 includes the fix for 

    • NUTM-11345 [Web] Regenerated Signing CA using 1024bit key, causing iOS 13 trust issues

    and does generate 2048 bit keys as required by Apple's new policies. One does of course need to regenerate the Signing CA and then distribute, but that is to be expected: Web Protection / Filtering Options / HTTPS CAs / Signing CA / Regenerate

    Thanks Sophos!

    --Larry