Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 31 subscribers
  • Views 14247 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

https scanning, where is the certificate cache for external websites?

Stephen Plume

I'm using a Sophos XG105w.  I have https scanning switched on for some PCs on my network, so that means the Sophos is checking website certificates and the certificate presented to the browser is the Sophos one.  All works fine for most websites.  Occasionally when I'm setting up a new website, I'll open a site that has an invalid certificate on the server.  I'll then fix the problem on the web server and once the certificate is correct, all other PCs here and elsewhere see the correct certificate with no errors.  However the PCs which are using https scanning via the XG still report the old invalid certificate.  I've tried reboots, updates, restart of Web Proxy service, etc.  It definitely isn't the PC at fault as switching off the https scanning on the XG makes it work.

How does the XG cache certificates from remote web servers when https scanning is in use?  How can I clear or reload this cache?

Thanks,
Stephen.



This thread was automatically locked due to age.
Parents
  • 0

    We have the same problem on our XG330 (SFOS 17.0.6 MR-6) . Any solution?

  • +2 in reply to MarkoT

    Ran into the same issue today. Could solve it by

    • SSHing to the XG
    • Chose »5. Device Management«
    • Chose »3. Advanced Shell«
    • Identified the certificate(s) in /var/certcache/ and removed the cached files
    • Then went to Protect > Web in the Web Management Interface an clicked Apply on »HTTPS Decryption and Scanning« without changing any setting there

    HTH

  • 0 in reply to AndreasBeutel

    Thank you very much, that's exactly what I needed to fix it.

    Stephen.

  • 0 in reply to AndreasBeutel

    I just wanted to say thanks for this - I've been going through Apache2 configs, trying from multiple locations and still unable to figure out what went wrong!

     

    Because someone at our office installed an incorrect SSL certificate (with the wrong CN) to begin with, the Sophos had this cached, and despite showing up as the "Sophos SSL CA", it still had the wrong CN.

    Is there an outstanding issue here for Sophos to fix? Should they be caching these certificates for as long as they do? This was an issue for at least 2+ weeks, and I can see certificates in the /var/certcache leading back to when we first installed this appliance in June 2018.

     

    I'll contact my account manager and report back here.

Reply
  • 0 in reply to AndreasBeutel

    I just wanted to say thanks for this - I've been going through Apache2 configs, trying from multiple locations and still unable to figure out what went wrong!

     

    Because someone at our office installed an incorrect SSL certificate (with the wrong CN) to begin with, the Sophos had this cached, and despite showing up as the "Sophos SSL CA", it still had the wrong CN.

    Is there an outstanding issue here for Sophos to fix? Should they be caching these certificates for as long as they do? This was an issue for at least 2+ weeks, and I can see certificates in the /var/certcache leading back to when we first installed this appliance in June 2018.

     

    I'll contact my account manager and report back here.

Children
No Data
Unfiltered HTML