We're currently running 188.8.131.52 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).
Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-
Has anyone else had https inspection issues today on later firmware versions 4.3.9, 184.108.40.206 or 4.3.10 ??
Does the following bug fix listed in 4.3.9 release notes cover this specific issue?
The trusted CA certificates used for certificate validation have been updated.
Does updating to later versions replace the appliance cert used for https inspection?
Interested in comments from Sophos dev team if they are on this channel.
Thanks in advance!
Good (kind of..) to see I'm not alone. I've raised the case with Sophos support, escalated via Twitter SophosSupport and emailed contacts at Sophos support for escalation. Hopefully some movement today.
If Support doesn't move, do tell and I'll open another case from our end. I'll poke 'em on Twitter as well.
I see there's a related issue at the GnuTLS-project (https://gitlab.com/gnutls/gnutls/-/issues/1008) - depending on the SWA's make, this might be the root cause, or a similar issue.
(In their case, it seems like they're evaluating the certificate chain by order, and if the expired cert comes before the valid one, they reject the chain, despite the fact that a valid, chain-forming cert follows later.)