[squid-users] ssl bump and chrome 58
rafael.akchurin at diladele.com
Wed May 3 08:47:40 UTC 2017
The following steps give in Chrome 58 the "Your connection is not private" error with "NET::ERR_CERT_COMMON_NAME_INVALID" and "missing_subjectAltName" error:
(peek-an-splice bumping squid 3.5.23_1 as in https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html)
1. Open Chrome 58+
2. Type some non existing domain name like "https://www.asdlajsdfl.com" (note the httpS:// schema)
3. See the missing_subjectAltName error.
Correct behavior would be Squid generating faked certificate for the domain name "www.asdlajsdfl.com" *with* subjectAltName extension set to "www.asdlajsdfl.com".
So question is - does anyone know if this is already existing bug or shall I file one?
May be it is a feature?
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Flashdown
Sent: Thursday, April 27, 2017 6:42 PM
To: Yuri Voinov <yvoinov at gmail.com>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] ssl bump and chrome 58
I've tested the registry setting and it worked out. You can copy the below lines in a .reg file and execute it.
Windows Registry Editor Version 5.00
Am 2017-04-27 18:34, schrieb Flashdown:
> Hello together,
> here is a workaround that you could use in the meanwhile.
> Whether to allow certificates issued by local trust anchors that are
> missing the subjectAlternativeName extension
> Data type:
> Boolean [Windows:REG_DWORD]
> Windows registry location:
> Mac/Linux preference name:
> Android restriction name:
> Supported on:
> Google Chrome (Linux, Mac, Windows) since version 58 until
> version 65
> Google Chrome OS (Google Chrome OS) since version 58 until
> version 65
> Google Chrome (Android) since version 58 until version 65
> Supported features:
> Dynamic Policy Refresh: Yes, Per Profile: No
> When this setting is enabled, Google Chrome will use the
> commonName of a server certificate to match a hostname if the
> certificate is missing a subjectAlternativeName extension, as long as
> it successfully validates and chains to a locally-installed CA
> Note that this is not recommended, as this may allow bypassing the
> nameConstraints extension that restricts the hostnames that a given
> certificate can be authorized for.
> If this policy is not set, or is set to false, server certificates
> that lack a subjectAlternativeName extension containing either a DNS
> name or IP address will not be trusted.
> Example value:
> 0x00000000 (Windows), false (Linux), false (Android), <false />
> <<<<<<<<<<<< END
> Am 2017-04-27 18:16, schrieb Flashdown:
>> Hello together,
>> Suddenly I am facing the same issue when users Chrome has been
>> updated to V58. I am running Squid 3.5.23.
>> This is the reason:
>> Short: Common Name Support Removed in Chrome 58 and Squid does not
>> create certs with DNS-Alternatives names in it. Because of that it
>> Chrome says:
>> 1. Subject Alternative Name Missing - The certificate for this site
>> does not contain a Subject Alternative Name extension containing a
>> domain name or IP address.
>> 2. Certificate Error - There are issues with the site's certificate
>> chain (net::ERR_CERT_COMMON_NAME_INVALID).
>> Can we get Squid to add the DNS-Alternative Name to the generated
>> certs? Since this is what I believe is now required in Chrome 58+
>> Best regards,
>> Am 2017-04-21 15:35, schrieb Yuri Voinov:
>>> I see no problem with it on all five SSL Bump-aware servers with new
>>> Chrome. So fare so good.
>>> 21.04.2017 18:29, Marko Cupać пишет:
>>>> I have squid setup with ssl bump which worked fine, but since I
>>>> updated chrome to 58 it won't display any https sites, throwing
>>>> NTT:ERR_CERT_COMMON_NAME_INVALID. https sites still work in
>>>> previous chrome version, as well as in IE.
>>>> Anything I can do in squid config to get ssl-bumped sites in chrome
>>>> Thank you in advance,
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
> squid-users mailing list
> squid-users at lists.squid-cache.org
squid-users mailing list
squid-users at lists.squid-cache.org
More information about the squid-users