Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 995 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Inspection (imported list of Root CA/Intermediate CA)

Michi Schlüter

Hello

I'm wondering how Sophos XG validates the certificate chain (web surfing ssl inspection). We use web policies with "block invalid certificates" on a new installed sophos XG for a customer. Normally, we don't see a lot of blocked websites due to invalid certificates or untrusted CAs. 

but on that firewall, we had some issues in the last days.

Scenario: browsing a website was not possible due to "SSL error: unable to get local issuer certificate"

when we import the intermediate issuer CA cert to trusted CA list, it works. The root CA was already in the list. In my understanding it should already work if the Root CA is in the list without adding all intermediate issuer CAs to this list. But in that case it didn't work.

Question:

1. does sophos trust any intermediate CAs signed by a root ca if this root ca is in the list of trusted Certificate Authorities?

2. is there an update mechanism for the trusted CA list on sophos XG firewalls or is it a manual task to update the list (I know, its a controverse topic to update a trusted CA list automatically)

thanks

Michael



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey Michael, Interesting query! 

    As far as I know, the Certificate chain has to be entirely defined on the XG. While validating the certificate XG looks for the entire chain. I can say from the context of importing signed certificates into XG. While importing those signed certificates into XG, the certificate won’t be considered valid unless Root and Intermediate CA both are available on the Firewall.

    So it could be the reason behind XG rejecting because the intermediate certificate isn't present.

  • 0 in reply to FormerMember

    Hi 

    Okay thanks for the answer! Sounds like what my thoughts are. would be nice to have an update feature where the admin can selectivly add all or some of the new root/intermediate CAs.

    Do you know if there is a possibility to export the whole list and import it again? (only the certificates (public keys) .. not the private keys of course :-))

  • 0 in reply to Michi Schlüter

    Actually Sophos monitors closely the market of used certificates and CAs to import them, if needed.

    Personally i use DPI for a long time and did not find any "not trusted CA". There are some rare cases of websites, using a wild CA, but not many are "untrusted". 

  • 0 in reply to LuCar Toni

    that was the case also on some of our customer firewalls but currently we have a few cases where these certs are not in the list (newly installed xg firewall with latest updates). also CAs that are not new or unkown in my understanding. like google chrome and other browser have them in the list as well. 

Reply
  • 0 in reply to LuCar Toni

    that was the case also on some of our customer firewalls but currently we have a few cases where these certs are not in the list (newly installed xg firewall with latest updates). also CAs that are not new or unkown in my understanding. like google chrome and other browser have them in the list as well. 

Children
  • 0 in reply to Michi Schlüter

    Browser are quite fast in adding new CAs all the time. Because they have excellent telemetry (Look at the installation base, they exactly know, which CAs are requested and how often). 

    For example: Google shares some of there insights: https://transparencyreport.google.com/https/overview

    So they actually are way ahead because of the Millions of installations and the telemetry. Sophos can use SophosLabs and the telemetry of the firewalls to observe missing CAs and only update them via Firmware update. 

    Overall from a security perspective, it is likely to wait until you add a new CA.