Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Subscribers 31 subscribers
  • Views 14731 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL_Scanning_Certificate not accepted under iOS 13

Dwayne Parker

Hi,

 

I've got the following Problem:

Since years now we are using HTTPS Decryption and scanning, thats why we have to install the SSL_Scanning_Certificate of the Appliance on iPhones.

We experienced absoloutly no Problems until we upgraded the test iPhone to iOS 13 Beta.

Although the Certificate is installed and enabled as trusted Root Certificate, no HTTPS using app is connecting to the Internet on this iPhone, but displaying Messages About untrusted certificate.

Does anybody have the same Problem?

How to fix this?

 

Regards



This thread was automatically locked due to age.
Parents
  • +1

    Hi Dwayne,

    This has broken due to new requirements from Apple for the trusted certificates. Please refer Requirements for trusted certificates in iOS 13 and macOS 10.15 for the new requirements.

    In XG, you get an option to select the HTTPS scanning certificate authority (CA) in PROTECT > Web > General settings | HTTPS decryption and scanning. The default is SecurityAppliance_SSL_CA. I've checked in my test device and it does satisfy the following requirements:

    • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. The default setting in Sophos is 2048 bits.

    • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. That's also true.

    • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. That's also true.

    Now if we talk about the other additional conditions for all TLS server certificates issued after July 1, 2019, the default validity period for SecurityAppliance_SSL_CA is too high compared to the requirement. Our team has already identified this and it is going to be fixed in the upcoming version SFOS v17.5 MR9.

  • 0 in reply to Jaydeep

    Hi,

    how long until MR-9 is available? The failure of the scanning will now be a big issue for a lot of small business who automatically update their iPhones and iPads as well as every school.

     

    Ian

Reply Children
No Data