SSL Certificate - Signature Verification Failed Vulnerability -PCI issue with Sonic TZ

I have a client with a SonicWall TZ 205, and we are running into an issue with PCI compliance scans.
Right now we are struggling to resolve a failure with "SSL Certificate - Signature Verification Failed Vulnerability".

Sonic support is clueless - does anyone here have a thought? Thanks in advance!
Greg MasonOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Greg,

There could be a few different reasons for this. First off, I'd encourage you to upgrade your firewall to the latest model like a TZ300. It has the technology to actually thwart and protect your network from today's attacks. Security is an ongoing process...its not a product and there is never a panacea.

Regarding your SSL Cert failure. How are you using SSL Certs in the SonicWALL...e.g. for Remote Management, for VPN's, etc.?

If I were to guess you are probably using it for Remote Management from the WAN (so you can login to the firewall from the WAN). SonicWALL has stopped producing firmware upgrades for your unit since it is EOL (End of Life).

Here is how I'd handle this provided that you are using Remote Management as I assumed...

1. Inspect & identify your currently SSL Cert. In Firefox go to your firewall management IP so that the login page appears (make sure HTTPS is explicitly used), then click on the lock icon > Show connection Details > More information. The Security dialogue box should pop up like this:
SSL Cert detailsRecord (screen capture or the like) the highlighted part or the Encryption Cipher Suite used.

2. I'd download and install the latest available firmware for your unit. Then go to System > Administrative and click Regenerate Certificate under Web Management Settings. Reboot the firewall.

3. Now go & identify the new cert as described in #1 and compare the two Certificates' Encryption Cipher Suite. You should see a change but if you don't that means the Certificate's Encryption Cipher Suite is tombstoned and aside from upgrading the unit the only other solution would be to roll-out SSL-VPN w/2FA enabled, management enabled & procure/install a Public CA SSL Cert so that you can management the firewall from the WAN via the SSL-VPN, which in any case is the best way to manage the firewall from a security standpoint. After you have tested the SSL-VPN WAN management you would then disable WAN management. When your PCI scan comes around again remote management will not exist and you will pass!

Let me know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Greg MasonOwnerAuthor Commented:
Thanks! I'll try the "regenerate cert" suggestion.

Just an FYI but EOS (END OF SUPPORT) for the TZ205 is 7/2020. LRM (Limited Retirement Mode) for the 205 started last August - the latest version of firmware came out in October of 2017. So not quite end of life, although I agree that a gen 6 unit would be a good investment.
Blue Street TechLast KnightCommented:
Technically that is true, however, without firmware releases I see the units as product EOL's because firmware is what includes dire security enhancements such as supporting TLS1.3, and DPI-SSL, etc.
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Greg MasonOwnerAuthor Commented:
You are right. But in the Sonic world, LRM is a time during which firmware updates continue to be issued - only now they are limited to critical bugs and security vulnerabilities. It's just that no new features are added.


We are waiting for the new PCI scan to run. Hopefully before hell itself freezes over...
Blue Street TechLast KnightCommented:
It will be stable but still new security enhancements will not be added such as support for DPI-SSL (in the case where it is not already) or TLS1.3. DPI-SSL is a security baseline since over 72% of web traffic is not encrypted.

To clarify, Cert Regeneration will only matter in the case where you update the firmware or there is some type of corruption with the cert. If neither of those apply, then deploying SSL-VPN is your only option if you still want to remotely manage the SonicWALL.
Greg MasonOwnerAuthor Commented:
Well, hell hasn't quite frozen over, but the PCI scan came back "compliant". Your suggestion seems to have worked! Thanks.

Oh wait - the Pope says there IS no hell anymore....
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.