Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 21719 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safari can't establish a secure connection to XG Firewall - Chrome/FF OK

WörnhardIT Administrator

 Hi all

Suddenly I am not able to connect to my Sophos firewall running XG 16.5 from Safari anymore. I am running macOS 10.12.3. Safari shows the warning "Safari can't establish a secure connection to the server <FQDN-of-Firewall>". Since last autumn, the firewall is using a certificate signed by CAcert for web authentication. The certificate store of the OS trusts all needed CAs from CAcert.

Firefox 51.0.1 connects w/o problems. After deleting the HSTS history for the FQDN in Chrome also this browser works again. Deleting the HSTS.plist file for Safari did not make a difference - I am still unable to connect.

Does anyone have a clue why Safari refuses to connect, and if there is a workaround?

Thanks for reading and regards,

- Maurice



This thread was automatically locked due to age.
  • 0

    Hi,

    I think the issue is more related to the browser than the firewall issue. Are you trying to access a server hosted through a DNAT or behind the WAF? I would also suggest, raise it on the Safari forum to check if there is any known issue with the safari already.

    Thanks

  • 0

    Maurice,

    in addition: did you upgrade the XG from one version to another in the meanwhile? If yes, give us more details regarding from which version you came from. Thanks

  • 0 in reply to lferrara

    Thanks for your suggestions. I have not upgraded the XG software version, I am still running 16.5. I just try to access the web interface of my firewall, no NAT or WAF at all.  Of course it might be a Safari issue, but I use Safari a lot and have never such a this problem before.

    - Maurice

  • 0 in reply to WörnhardIT Administrator

    Thanks for the info.

    Try to delete the Certificate Authority and then import it again into Safari. Safari uses CA saved on MAC.

    Regards

  • 0 in reply to lferrara

    Interesting, I had the exact opposite ff cracked even after importing the CA from the XG.

    Eventually delete worked well.

  • 0 in reply to lferrara

    Hi lferra

    Your post together with this blog entry helped me solve the problem. I did not find any way to view in Safari what certificate was returned to the client. In Chrome I had to use Developer Tools, and this allowed me to solve the problem.

    To recap: I have two valid certificates in the appliance, one self-signed (Self-Signed CA) and one from another CA where I had to upload the CA root cert to the appliance (ExtCA root). I was unable to connect from Safari with any of them, Chrome worked with the Self-Signed CA. Checking the System Keychain on my macOS system, the Self-Signed CA was not present, and the ExtCA root was not trusted. After importing the Self-Signed CA and setting both CAs to "Trust", I was again able to connect via Safari.

    - Maurice