This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firmware 4.3.8.1 & expired certificate 30th May 2020

We're currently running 4.3.8.1 across all web appliances / single management appliance (it's been stable, we've had random issues in the past and do not update unless a specific reason forces us to..).

Today we experienced https scanning issues with some sites. All sites scanned through SSL Labs showed an expired cert 30th May 2020. Relating to this article:-

https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020


Has anyone else had https inspection issues today on later firmware versions 4.3.9, 4.3.9.1 or 4.3.10 ??

Does the following bug fix listed in 4.3.9 release notes cover this specific issue?

NSWA-1634

The trusted CA certificates used for certificate validation have been updated.

Does updating to later versions replace the appliance cert used for https inspection?

 

Interested in comments from Sophos dev team if they are on this channel.

Thanks in advance!



This thread was automatically locked due to age.
  • ... the problem has not only existed for 14 days.

    I have noticed the first occurrences in UTM - 9.701-6 increasingly since Jan 2020.
    So far, however, I was of the opinion that the problem was on the opposite side (of the respective homepage) because the message "certificate has expired" was always written out in conjunction with the target URL.

    I hope for a quick fix by Sophos.

    <community.sophos.com/.../135544>
    Next update
    This article will be updated when any new information becomes available.

    ... but without an appointment it does not seem to be so urgent.

  • Hi Andrew,

    Not sure why you think I disabled https inspection across the board but I have only added site which have a dependency on the expired certificate.

    While excluding web sites from https inspection works in most case we have found some issues where the website have imbedded content from another website or rely on other website to present content e.g. where it uses jquery. In these scenarios it requires identification of additional sites which also need to excluded from https inspection.

    All of this just adds more work to undo once Sophos are able to provide a hotfix or similar which resolves the issue.

  • Apologies Duncan, crossed wires from me there! - it was directed at Sophos and their article which lists the step 2 workaround. We see the same as you with further underlying sites to exclude, pages not fully loading etc.

     

    "If the number of sites are too many and the first workaround is not practical, you can disable HTTPS scanning and certificate validation. This will apply to every site.

    WARNING: We do not recommend enabling HTTPS scanning without certificate validation. For this reason, we suggest disabling HTTPS scanning with certificate validation together as a workaround."

  • Update from Sophos support.

    The issue is scheduled to be fixed in release SWA 4.3.10.1 FCS (First Customer Shipment) targeted for 09 June 2020. GA to follow shortly after. 

  • How is everybody else's experience with the patch? We installed v4.3.10.1 GA half an hour ago and the issue still persists.

     

    Did it work for anyone?

  • Update: Seems to work now.

    May have been a cache issue, no idea.

  • My testing would indicate that the problem is still ongoing, I have reported the same to Sophos through my open call for this issue. Escalated back to Sophos 24hrs ago still waiting for a response/update.

  • Thanks for updating Duncan. We are due to test out of hours tomorrow but will hold pending further news here.

    I see you posted details of the 4.3.10.1 release therefore I assume you're working in dev. Are you taking note of the comments here and following the support case?

  • Hi  

    I do not work in development, but I can certainly reach out to them if needed. According to the article that  posted earlier, v4.3.10.1 should fix this issue: https://community.sophos.com/kb/en-us/135544

     can you please pm me the support case number so that I can look into it for you? 

    Thanks,

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi all, just wondered how the new release was looking. Are some still seeing the issue? Or any other unrelated issues with the release?

    are UTM support able to see how many appliances have applied / pulled the update globally and could you give us a rough estimation here?