TLS 1.3

https://tools.ietf.org/html/rfc8446

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it's all safer and faster?

https://blogs.windows.com/windows-insider/2020/07/15/announcing-windows-10-insider-preview-build-20170/

The problem is that some Next Generation Web Filter (Firewall) can't look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you're Firewall can't handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy

CHROME:

chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)

MICROSOFT EDGE CHROMIUM:

edge://flags/

As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what's supported:

https://browserleaks.com/ssl

https://news.sophos.com/en-us/2020/08/18/report-firewall-best-practices-to-block-ransomware/

https://www.fortinet.com/blog/business-and-technology/tls-is-here-what-this-means-for-you

https://www.f5.com/c/landing/encrypted-threats/article/tls-1-3-are-you-ready-for-the-update

https://community.checkpoint.com/t5/General-Topics/CheckPoint-TLS-1-3-support-When/td-p/63672

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/understanding_traffic_decryption.html

https://www.sonicwall.com/support/knowledge-base/ssl-tls-protocols-supported-by-sonicos-matrix/170615123553371/

Read more:

https://devblogs.microsoft.com/premier-developer/microsoft-tls-1-3-support-reference/

https://www.imperial.ac.uk/media/imperial-college/faculty-of-engineering/computing/public/1819-pg-projects/Detecting-Malware-in-TLS-Traf%EF%AC%81c.pdf

https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/

https://www.heise.de/security/meldung/Verschluesselung-TLS-1-3-Fauxpas-gefaehrdet-Embedded-Systeme-mit-wolfSSL-4883741.html

https://www.heise.de/hintergrund/Was-TLS-1-3-ist-und-wie-Sie-davon-profitieren-4248740.html

https://www.sans.org/reading-room/whitepapers/vpns/paper/39715

https://nakedsecurity.sophos.com/2020/02/18/malware-and-https-a-growing-love-affair/

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.

Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment

Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL pki.infineon.com (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.

Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.

Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.

The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.

Workaround:

URL we need open in our sample: pki.infineon.com which prevents a complete Enterprise Deployment system to fail

Sample from Fortigate for other Certs they missed:

F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )

In our case:

F-SBID( --name "Root.Certificate.pki.infineon.com"; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see:

Butsch.ch | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

So you understand that this is a problem which persists over all firewall producers:

https://support.symantec.com/en_US/article.HOWTO9584.html

Symantec: About the Install Readiness Check for Certificate Revocation List access

https://success.trendmicro.com/solution/1058226

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

Checkpoint:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection

Mcafee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25504/en_US/epo_530_pg_0-00_en-us.pdf

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

File system inconsistency - cannot run fsck

• The console hangs at Press F2 with white Screen you can't logon or ping the machine
• You can't connect with SSH
• You can't acces the machine on port 4444
• You DID not move the machine (COPY) NORE did you change something with NIC or MAC
• You prob. had a crash on the ESXi, the storage or Disk system itself
• You assume that Linux file system are robust and think they can't crash (Look like not…)

If you try the Rescue boot Option you should LOGON ONLY with root. However you are Windows User and always logon with admin and password through web console on port 4444. I am absolute sure there is Documentation on this and if you have Setup and read the Manual like Sophos wants you > Then you have that password.

Here is how to repair the File System with absolute almost no TUX knowledge and without having the root password! (Kind of strange but well you need physical access or console Access) so…

Error

Reboot the UTM machine in ESXi-console

Press ESC

Type "e" on keyboard once (Nothing else)

Choose the options which looks like this (similar)

If you are in the ESXi-CONSOLE end following to the command which is displayed now (At the end of existing command). Just behind the *******silent

init=/bin/bash

If you search CHARS on non us-keyboard:

On GERMAN OR SWISS GERMAN the = is right under the F10 keyboard on NON US-keyboard layouts! The "/" on the 10 numeric block.

PRESS "ENTER"

PRESS "b" to load the modified boot Setting

When the System stops it will stay at CLI now

Run cli command

"Fsck /dev/sda6"

or whever you corrupt file system is (It will show you in the errors as sample below)

On every question he will ask answer "y"

Comment Windows Senior System Engineer > Nobody understands what it says. Not even the guy who coded it we guess….

Reboot the System with CTRL-ALT-DEL from ESXi (Send command)

Here is how to reset Sophos passwords. We ONLY used step 1-10 for the repair of File System.

https://community.sophos.com/kb/en-us/115346#How%20to%20reset%20all%20passwords

You did all right as mentioned under but are unable to logon:

http://www.butsch.ch/post/Sophos-UTM-9314-13-Data-Disk-is-filling-up.aspx

Error: Network error:Software caused connection abort

Solution: download latest Version from Putty and it will work again

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

We use the Sophos appliance under Vmware ESXi Transparent behind our commercial Firewalls (Just some Wireshark replacment ;-)

The box looks real good and is easy to use. The Interface and GUI are just perfect. I like the Realtime options.

Like most of the times when you search for a solution for a linux Problem there seem to be 40 different

Solutions and Rekommandation. Worst case you update Perl, the Kernels and Download 2'000 files. Nobody knows what it does exept the guy who wrote it but thats the same under Windows sometimes.

Here is how to check the space and enable SSH which is more complicated because you have to enable SSH with a key.

After your cleaned up with this method:

First to do that you have to enable SSH and you have to generate a KEY so you can logon with root

They Made that very nice on the Sophos compared to other appliances ;-)

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

https://opengear.zendesk.com/entries/23216142-Generating-and-uploading-SSH-keys-under-Windows

* Enable SSH

* make a private / Public key with PUTTYGEN.exe

* make the key (Save Public and private)

Mark they Public Key fully and paste it into the SOPHOS appliance (Next Screen)

Then give PUTTY.EXE that key to work with:

Now you are able to Logon with root to the Sophos and search for Big files.

cd /var/storage
du -sh *

There was 1.2 Gigabyte of files under: /var/storage/pgsql92/data after 2 weeks.

Got to the Directory:

cd /var/storage/pgsql92/data/pg_xlog

List with:

ls

Now mark and pick the highest number you see there. You want to truncate until that.

Command for above screenshot

pg_archivecleanup /var/storage/pgsql92/data/pg_xlog 000000010000000300000092

Check in GUI