We're currently running 184.108.40.206 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).
Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-
Has anyone else had https inspection issues today on later firmware versions 4.3.9, 220.127.116.11 or 4.3.10 ??
Does the following bug fix listed in 4.3.9 release notes cover this specific issue?
The trusted CA certificates used for certificate validation have been updated.
Does updating to later versions replace the appliance cert used for https inspection?
Interested in comments from Sophos dev team if they are on this channel.
Thanks in advance!
If you are still experiencing issues, please ensure that you have performed these steps.
Thank you emmosophos and Draco!
Stupid me didnt thought about going through the certification validation list. We had the expired one listed there. Removing this (and several other expired ones) seems to did the trick.
Hi KKA TDM
Wondered if you could do us a favour, could you test this URL through your updated appliances and confirm if it fails certificate validation?
Tried that website for you Andrew ... works fine for me.
Can confirm. Works without issues.
Thanks both for checking, appreciate that.
We seem to still have issues using that site as an example. We have a lot of manually added certs, may of which are expired no doubt but I cannot find any left related to Sectigo or the add / user trust. Would be helpful if that GUI section showed expiry. Not sure if they appear under any other issuing name. We cleared the cache and left it some time before rebooting all appliances yesterday.
Will refer back to support maybe they can find the offending certificate or cache issue.
Are you able to escalate support case 9920033, we're getting the all too common Sophos web appliance support wall of silence for a day or 2.
We're still having issues with some sites despite clearing certs, the cache and rebooting appliances.
We will follow up with the assigned senior engineer on your support case.Regards,
Still nothing from support. I just wanted them to find the offending cert or cache item, to validate why we still see issues with that site as an example.
Apologies, I do see that the GES engineer reached to you today, but a few moments later you mentioned the issue was solved.
You mentioned that all the affected sites again seem to be cleared, and seems like Cache took longer to clear.