This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firmware 4.3.8.1 & expired certificate 30th May 2020

We're currently running 4.3.8.1 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).

Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-

https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020


Has anyone else had https inspection issues today on later firmware versions 4.3.9, 4.3.9.1 or 4.3.10 ??

Does the following bug fix listed in 4.3.9 release notes cover this specific issue?

NSWA-1634

The trusted CA certificates used for certificate validation have been updated.

Does updating to later versions replace the appliance cert used for https inspection?

 

Interested in comments from Sophos dev team if they are on this channel.

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • This problem is not restricted to Sophos Web Appliance it is also affecting other Vendors in our case we also have Palo Altos and it has the same problem. Sectigo implemented a cross signing solution on there expiring Root CA some time ago here's a couple of links which cover the issue in detail …

    https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 
    https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ

    The problem is primarily that the Sophos Web Appliance is not able to correctly interpret the Cross Signing implemented by Sectigo and continues to try only the expired Root CA when checking the "chain of trust".

    We have been able to implement a temporary work around, which is far from ideal, by adding the affected Web Sites to the HTTPS scanning exemptions list until Sophos can provide a fix … hope this helps someone.

    Another good recently released article can be reviewed here

    https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/

     

     

     

  • Hi Duncan

    Thanks for the input. We are indeed excluding sites from https scanning as the workaround and have been doing so since Monday morning when the problem surfaced.

    It seems this one was well and truly on the radar before the expiry date arrived but it managed to slip through the development team net (noted - not just for Sophos) being quite an integral part of the certificate chain validation process.

    Actually disabling https inspection across the board, not sure I would've gone as far as listing that under workaround. That's a pretty drastic approach in the current security climate.

    Not your fault I know. Hopefully they'll come up with another resolution.

    Thanks

  • Hi Andrew,

    Not sure why you think I disabled https inspection across the board but I have only added site which have a dependency on the expired certificate.

    While excluding web sites from https inspection works in most case we have found some issues where the website have imbedded content from another website or rely on other website to present content e.g. where it uses jquery. In these scenarios it requires identification of additional sites which also need to excluded from https inspection.

    All of this just adds more work to undo once Sophos are able to provide a hotfix or similar which resolves the issue.

  • Apologies Duncan, crossed wires from me there! - it was directed at Sophos and their article which lists the step 2 workaround. We see the same as you with further underlying sites to exclude, pages not fully loading etc.

     

    "If the number of sites are too many and the first workaround is not practical, you can disable HTTPS scanning and certificate validation. This will apply to every site.

    WARNING: We do not recommend enabling HTTPS scanning without certificate validation. For this reason, we suggest disabling HTTPS scanning with certificate validation together as a workaround."

Reply
  • Apologies Duncan, crossed wires from me there! - it was directed at Sophos and their article which lists the step 2 workaround. We see the same as you with further underlying sites to exclude, pages not fully loading etc.

     

    "If the number of sites are too many and the first workaround is not practical, you can disable HTTPS scanning and certificate validation. This will apply to every site.

    WARNING: We do not recommend enabling HTTPS scanning without certificate validation. For this reason, we suggest disabling HTTPS scanning with certificate validation together as a workaround."

Children