This problem is not restricted to Sophos Web Appliance it is also affecting other Vendors in our case we also have Palo Altos and it has the same problem. Sectigo implemented a cross signing solution on there expiring Root CA some time ago here's a couple of links which cover the issue in detail …

https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020 
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ

The problem is primarily that the Sophos Web Appliance is not able to correctly interpret the Cross Signing implemented by Sectigo and continues to try only the expired Root CA when checking the "chain of trust".

We have been able to implement a temporary work around, which is far from ideal, by adding the affected Web Sites to the HTTPS scanning exemptions list until Sophos can provide a fix … hope this helps someone.

Another good recently released article can be reviewed here

https://nakedsecurity.sophos.com/2020/06/02/the-mystery-of-the-expiring-sectigo-web-certificate/

Hi Duncan

Thanks for the input. We are indeed excluding sites from https scanning as the workaround and have been doing so since Monday morning when the problem surfaced.

It seems this one was well and truly on the radar before the expiry date arrived but it managed to slip through the development team net (noted - not just for Sophos) being quite an integral part of the certificate chain validation process.

Actually disabling https inspection across the board, not sure I would've gone as far as listing that under workaround. That's a pretty drastic approach in the current security climate.

Not your fault I know. Hopefully they'll come up with another resolution.

Thanks

Hi Andrew,

Not sure why you think I disabled https inspection across the board but I have only added site which have a dependency on the expired certificate.

While excluding web sites from https inspection works in most case we have found some issues where the website have imbedded content from another website or rely on other website to present content e.g. where it uses jquery. In these scenarios it requires identification of additional sites which also need to excluded from https inspection.

All of this just adds more work to undo once Sophos are able to provide a hotfix or similar which resolves the issue.

Apologies Duncan, crossed wires from me there! - it was directed at Sophos and their article which lists the step 2 workaround. We see the same as you with further underlying sites to exclude, pages not fully loading etc.

"If the number of sites are too many and the first workaround is not practical, you can disable HTTPS scanning and certificate validation. This will apply to every site.

WARNING: We do not recommend enabling HTTPS scanning without certificate validation. For this reason, we suggest disabling HTTPS scanning with certificate validation together as a workaround."

Update from Sophos support.

The issue is scheduled to be fixed in release SWA 4.3.10.1 FCS (First Customer Shipment) targeted for 09 June 2020. GA to follow shortly after. 

How is everybody else's experience with the patch? We installed v4.3.10.1 GA half an hour ago and the issue still persists.

Did it work for anyone?

Update: Seems to work now.

May have been a cache issue, no idea.

My testing would indicate that the problem is still ongoing, I have reported the same to Sophos through my open call for this issue. Escalated back to Sophos 24hrs ago still waiting for a response/update.

My testing would indicate that the problem is still ongoing, I have reported the same to Sophos through my open call for this issue. Escalated back to Sophos 24hrs ago still waiting for a response/update.

Thanks for updating Duncan. We are due to test out of hours tomorrow but will hold pending further news here.

Yashraj S I see you posted details of the 4.3.10.1 release therefore I assume you're working in dev. Are you taking note of the comments here and following the support case?

Hi Andrew Meek 

I do not work in development, but I can certainly reach out to them if needed. According to the article that FloSupport posted earlier, v4.3.10.1 should fix this issue: https://community.sophos.com/kb/en-us/135544. 

Duncan Taylforth can you please pm me the support case number so that I can look into it for you? 

Hi all, just wondered how the new release was looking. Are some still seeing the issue? Or any other unrelated issues with the release?

Yashraj S are UTM support able to see how many appliances have applied / pulled the update globally and could you give us a rough estimation here?

Hi Andrew Meek 

We're on v4.3.10.1 since Sunday evening and still face this issue...

Hi Yashraj S

According to multiple reports the issue is not resolved, why is it taking so many days to confirm why people are saying the issue still exists - if Sophos believe it is resolved.

Look at the most recent comment before my reply. Others are saying the problem remains.

Hi Duncan, did the latest advisories resolve the issue for you?

Summary of actions taken to date ...

Please check that there a no Sectigo Certificates/affected websites certificates not added in the "Configuration > Global Policy > Certificate Validation > Check the custom cert list"

Difficult to justify the time to complete this step for more than 30 websites identified with the issue in our environment.

Issue can still occur if you have added the AddTrust External CA or UserTrust certificate manually. Please try removing those certificates from the certificate validation page if they are listed.

Checked out certificates and located one for AddTrust External CA which was likely added when first trying to troubleshoot the issue ... was expired so deleted. Found 4 certificates issued by USERTrust RSA Certificate Authority all current with expiry date years in the future did not take any action in regards to these.

Please try clearing the "Certificate Cache" under the "Configuration > Global policy > General options > Clear Certificate Cache". Please do this during downtime only. Wait for 15 to 20 minutes after doing this as it may take several minutes.

Completed this task on each Web Proxy Appliance in our cluster.

Please reboot the web appliance/s one by one after that.

Completed this task on each Web Proxy Appliance in our cluster.

I have been slowly (one at a time with testing for each) been removing websites from the HTTPS Scanning Exemptions. Completed 12 websites on Friday. Have re-checked them this morning (Monday) and all are still working normally. So the indications are that the issues have been resolved but I will still be taking a cautious approach to minimise any impact on our users working to towards a point where all websites previously added to the HTTPS Scanning Exemptions have been removed.

Hope this helps.

Cheers,
Duncan