Websites that are signed by Sectigo root CA may fail to connect and a certificate validation failed due certificate AddTrust External CA Root expired on May 30th 2020
An issue occurs cause OpenSSL checks the certificate chain path which leads to an expired 'AddTrust External CA'. Hence you may observe sites that are signed by Sectigo root CA may fail to connect and a certificate validation failed message displayed to the end-user
If you have a site that has an expired certificate and is processed by Sophos Web appliance it would block the website by certificate verification.
Here is a sample of the packet capture when the remote server would present the CA certificate which has expired.
If the certificate which is expired is presented to Sophos Web Appliance, it would check for validation of the certificate and would determine if it's valid or not. Users would see the following error message
For more information, please visit this article: https://community.sophos.com/kb/en-us/135544
This is scheduled to be fix in release SWA 220.127.116.11 FCS targeted for June 9th 2020. GA to follow shortly after.
FCS released as of June 11th, 2020. GA is scheduled for June 17th, 2020