instagram arrow-down
Kalle Lilja

Archives

Sophos UTM WebAdmin TLS Error – Bad_Format

ERR_SSL_SERVER_CERT_BAD_FORMAT

TL;DR Access to WebAdmin was achieved again by locally forceing Internet Explorer to only use TLS 1.1 by disabling support for all other suites.

When accessing a rarely configured Sophos UTM running version 9.503-4‘s WebAdmin interface via https://utm.domain.com:4444 today I got faced with an unknown to me error in Chrome;
FQDN doesn't adhere to security standards.
ERR_SSL_SERVER_CERT_BAD_FORMAT

The same type of error presented itself in for example, Internet Explorer, albeit with a different type of error message.
FQDN doesn't adhere to security standards. ERR_SSL_SERVER_CERT_BAD_FORMAT
Quick followup testing got me to the following stage;
UserPortal – Working.
SSH – Working.
WebAdmin – Not working, not externally nor internally, not in any browser. Tested by name and IP.
Access via UTM Manager – Not working.

Restarting the WebAdmin service httpd via SSH had no effect on the issue. Restarting the UTM was not a viable option at this time, as this was in the middle of working hours.

I’m sure there’d be a way to solve this issue altogether via SSH, if I ever find out how, and remember to- I’ll update this page.

Solution

Access to WebAdmin was achieved again by locally forceing Internet Explorer to only use TLS 1.1 by disabling support for all other suites.
Internet Explorer – Internet Options – Advanced > Security.
Internet Explorer Security options TLS 1.1
Restart IE to apply the changes. Don’t forget to swap back when done.

The issue was subsequently sorted out by generating a new WebAdmin certificate.
Management > WebAdmin Settings > HTTPS Certificate.
Change the hostname value and Apply to generate a new cert and key combo.
WebAdmin Settings HTTPS Certificate
WebAdmin will now reload within 5 seconds with a newly generated cert. Once reloaded, access should be working again for example via Chrome. As intended.

A better, more preferred way of handling the certificate situation of Sophos WebAdmin would be to use a proper CA signed certificate, here, but alas, it’s not always in the cards.

Software Used:
Sophos UTM 9.503-4
PuTTy
Google Chrome 61.0.3163.100
Internet Explorer 11