We're currently running 22.214.171.124 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).
Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-
Has anyone else had https inspection issues today on later firmware versions 4.3.9, 126.96.36.199 or 4.3.10 ??
Does the following bug fix listed in 4.3.9 release notes cover this specific issue?
The trusted CA certificates used for certificate validation have been updated.
Does updating to later versions replace the appliance cert used for https inspection?
Interested in comments from Sophos dev team if they are on this channel.
Thanks in advance!
Evening,We are running 4.3.10 and yes we've also been having issues with sites where the expired cert is in the chain.Came here to see if there was a quick solution, like the one I read about for the UTMhttps://www.stephenwagner.com/2020/06/01/sophos-utm-xg-untrusted-website-certificate-expired-april-may-2020/
How is this not answered yet?
This breaks a significant number of sites, including some from governmental organizations.
I will try to add the corrected Root CAs myself, but if I wanted to manage my own solution, I wouldn't have bought an appliance, Sophos.
I get not trusting Comodo just because they changed their name, but at least give us an official statement so we know where we're at.
For others - the respective Comodo pages are https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117WR and https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT - however, they, too, are using the certs rejected by the SWA under 4.3.10.
I have manually added USERTrust RSA Certification Authority self-signed, USERTrust RSA Certification Authority signed by AAA Certificate Services and COMODO RSA Certification Authority.
It is my understanding (from https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ) that at least the latter should have provided a usable trust anchor.
Unfortunately, there is no noticeable change.
Hilariously, while trying to look at the changelog referenced by OP, it turned out that Sophos' own Site is equally challenged, because the SWA doesn't trust swa.sophos.com's GlobalSign chain.
Not looking good here, Sophos.
Good (kind of..) to see I'm not alone. I've raised the case with Sophos support, escalated via Twitter SophosSupport and emailed contacts at Sophos support for escalation. Hopefully some movement today.
If Support doesn't move, do tell and I'll open another case from our end. I'll poke 'em on Twitter as well.
I see there's a related issue at the GnuTLS-project (https://gitlab.com/gnutls/gnutls/-/issues/1008) - depending on the SWA's make, this might be the root cause, or a similar issue.
(In their case, it seems like they're evaluating the certificate chain by order, and if the expired cert comes before the valid one, they reject the chain, despite the fact that a valid, chain-forming cert follows later.)
Response from support ticket
02/06/2020 14:30 BST
The issue related to certificate error for sites using sectigo/comodo in their Certificate path is being investigated by our Dev team and will provide feedback as soon as we have an update.
This problem is not restricted to Sophos Web Appliance it is also affecting other Vendors in our case we also have Palo Altos and it has the same problem. Sectigo implemented a cross signing solution on there expiring Root CA some time ago here's a couple of links which cover the issue in detail …
The problem is primarily that the Sophos Web Appliance is not able to correctly interpret the Cross Signing implemented by Sectigo and continues to try only the expired Root CA when checking the "chain of trust".
We have been able to implement a temporary work around, which is far from ideal, by adding the affected Web Sites to the HTTPS scanning exemptions list until Sophos can provide a fix … hope this helps someone.
Another good recently released article can be reviewed here
Please view the following article for more information:
Is that article relevant to the Sophos Web Appliance?
Thanks for the input. We are indeed excluding sites from https scanning as the workaround and have been doing so since Monday morning when the problem surfaced.
It seems this one was well and truly on the radar before the expiry date arrived but it managed to slip through the development team net (noted - not just for Sophos) being quite an integral part of the certificate chain validation process.
Actually disabling https inspection across the board, not sure I would've gone as far as listing that under workaround. That's a pretty drastic approach in the current security climate.
Not your fault I know. Hopefully they'll come up with another resolution.