Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 31 subscribers
  • Views 14246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

https scanning, where is the certificate cache for external websites?

Stephen Plume

I'm using a Sophos XG105w.  I have https scanning switched on for some PCs on my network, so that means the Sophos is checking website certificates and the certificate presented to the browser is the Sophos one.  All works fine for most websites.  Occasionally when I'm setting up a new website, I'll open a site that has an invalid certificate on the server.  I'll then fix the problem on the web server and once the certificate is correct, all other PCs here and elsewhere see the correct certificate with no errors.  However the PCs which are using https scanning via the XG still report the old invalid certificate.  I've tried reboots, updates, restart of Web Proxy service, etc.  It definitely isn't the PC at fault as switching off the https scanning on the XG makes it work.

How does the XG cache certificates from remote web servers when https scanning is in use?  How can I clear or reload this cache?

Thanks,
Stephen.



This thread was automatically locked due to age.
  • 0

    Hi,

    just to be right: You mean the Webserver replaced his cert and XG still stores old certificate?

    Because basically you should not see the old/new cert on the client, instead the XG SSL CA.

    Is this not the case?

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That's right, the webserver had an invalid certificate, that was replaced with a valid one.  The XG still reports the invalid one to the client. 

    All works as expected (client gets the XG SSL CA) for webservers that have always had a valid certificate.

  • 0

    I think your along the right path that it might be a possible XG issue.  While I don't know the command line to clear the cache, it can be accessed under Web -> General Settings -> Advanced -> Web Content Caching -> Enable web content cache. (I'm on 17 MR-6)

    If you have it enabled, what happens if you turn that off and try accessing the site?  Just throwing out ideas to help.

  • 0 in reply to MiniMeech

    Thanks, that's a good suggestion, unfortunately I didn't have web content cache enabled.

    The other related settings are also all unticked - Always cache Sophos Endpoint updates, Block unrecognized SSL protocols, Block invalid certificates.  I've just tried enabling the last two and reloading, but that made no difference.

  • 0 in reply to Stephen Plume

    When you get a certificate, which CA are you using? When you run a test at ssllabs.com against your site and you see the entire chain, do you see those certificates also in the XG?

  • 0 in reply to MiniMeech

    I'm using LetsEncrypt for the certificates on the webservers.  These two sites are on the same webserver, both LetsEncrypt same results in ssllabs:

    https://www.ssllabs.com/ssltest/analyze.html?d=renscouts.org.uk

    https://www.ssllabs.com/ssltest/analyze.html?d=renexplorers.org.uk&latest

    The root certificate is DST Root CA X3 which is installed on the XG.

    On a PC not using XG's https scanning, both websites open fine.  With scanning, the second site works fine but with the first I get:

    The hostname in the website’s security certificate differs from the website you are trying to visit.

    Error Code: DLG_FLAGS_SEC_CERT_CN_INVALID

    Which isn't true!  The only difference between the sites is that I once opened the first while it had an invalid certificate on the webserver.  I'm convinced the XG has "remembered" this old configuration and I need to clear it.

    Thanks.

  • 0

    We have the same problem on our XG330 (SFOS 17.0.6 MR-6) . Any solution?

  • +2 in reply to MarkoT

    Ran into the same issue today. Could solve it by

    • SSHing to the XG
    • Chose »5. Device Management«
    • Chose »3. Advanced Shell«
    • Identified the certificate(s) in /var/certcache/ and removed the cached files
    • Then went to Protect > Web in the Web Management Interface an clicked Apply on »HTTPS Decryption and Scanning« without changing any setting there

    HTH

  • 0 in reply to AndreasBeutel

    Thank you very much, that's exactly what I needed to fix it.

    Stephen.

  • 0 in reply to AndreasBeutel

    I just wanted to say thanks for this - I've been going through Apache2 configs, trying from multiple locations and still unable to figure out what went wrong!

     

    Because someone at our office installed an incorrect SSL certificate (with the wrong CN) to begin with, the Sophos had this cached, and despite showing up as the "Sophos SSL CA", it still had the wrong CN.

    Is there an outstanding issue here for Sophos to fix? Should they be caching these certificates for as long as they do? This was an issue for at least 2+ weeks, and I can see certificates in the /var/certcache leading back to when we first installed this appliance in June 2018.

     

    I'll contact my account manager and report back here.

Unfiltered HTML