We're currently running 18.104.22.168 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).
Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-
Has anyone else had https inspection issues today on later firmware versions 4.3.9, 22.214.171.124 or 4.3.10 ??
Does the following bug fix listed in 4.3.9 release notes cover this specific issue?
The trusted CA certificates used for certificate validation have been updated.
Does updating to later versions replace the appliance cert used for https inspection?
Interested in comments from Sophos dev team if they are on this channel.
Thanks in advance!
How is this not answered yet?
This breaks a significant number of sites, including some from governmental organizations.
I will try to add the corrected Root CAs myself, but if I wanted to manage my own solution, I wouldn't have bought an appliance, Sophos.
I get not trusting Comodo just because they changed their name, but at least give us an official statement so we know where we're at.
For others - the respective Comodo pages are https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117WR and https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT - however, they, too, are using the certs rejected by the SWA under 4.3.10.
I have manually added USERTrust RSA Certification Authority self-signed, USERTrust RSA Certification Authority signed by AAA Certificate Services and COMODO RSA Certification Authority.
It is my understanding (from https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ) that at least the latter should have provided a usable trust anchor.
Unfortunately, there is no noticeable change.
Hilariously, while trying to look at the changelog referenced by OP, it turned out that Sophos' own Site is equally challenged, because the SWA doesn't trust swa.sophos.com's GlobalSign chain.
Not looking good here, Sophos.