This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firmware 4.3.8.1 & expired certificate 30th May 2020

We're currently running 4.3.8.1 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).

Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-

https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020


Has anyone else had https inspection issues today on later firmware versions 4.3.9, 4.3.9.1 or 4.3.10 ??

Does the following bug fix listed in 4.3.9 release notes cover this specific issue?

NSWA-1634

The trusted CA certificates used for certificate validation have been updated.

Does updating to later versions replace the appliance cert used for https inspection?

 

Interested in comments from Sophos dev team if they are on this channel.

Thanks in advance!



This thread was automatically locked due to age.
Parents Reply Children
  • If Support doesn't move, do tell and I'll open another case from our end. I'll poke 'em on Twitter as well.

    I see there's a related issue at the GnuTLS-project (https://gitlab.com/gnutls/gnutls/-/issues/1008) - depending on the SWA's make, this might be the root cause, or a similar issue.

    (In their case, it seems like they're evaluating the certificate chain by order, and if the expired cert comes before the valid one, they reject the chain, despite the fact that a valid, chain-forming cert follows later.)