We're currently running 220.127.116.11 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).
Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-
Has anyone else had https inspection issues today on later firmware versions 4.3.9, 18.104.22.168 or 4.3.10 ??
Does the following bug fix listed in 4.3.9 release notes cover this specific issue?
The trusted CA certificates used for certificate validation have been updated.
Does updating to later versions replace the appliance cert used for https inspection?
Interested in comments from Sophos dev team if they are on this channel.
Thanks in advance!
This problem is not restricted to Sophos Web Appliance it is also affecting other Vendors in our case we also have Palo Altos and it has the same problem. Sectigo implemented a cross signing solution on there expiring Root CA some time ago here's a couple of links which cover the issue in detail …
The problem is primarily that the Sophos Web Appliance is not able to correctly interpret the Cross Signing implemented by Sectigo and continues to try only the expired Root CA when checking the "chain of trust".
We have been able to implement a temporary work around, which is far from ideal, by adding the affected Web Sites to the HTTPS scanning exemptions list until Sophos can provide a fix … hope this helps someone.
Another good recently released article can be reviewed here
Please view the following article for more information:
Is that article relevant to the Sophos Web Appliance?