[squid-users] ssl bump and chrome 58

Yuri yvoinov at gmail.com
Wed May 3 10:30:24 UTC 2017


Mountain brake, Raf :-)

Fixed yesterday, already running on productions (on my side) ;-)


03.05.2017 15:05, Rafael Akchurin пишет:
> Sorry disregard - should practice my  google fu better - see http://bugs.squid-cache.org/show_bug.cgi?id=4711
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Rafael Akchurin
> Sent: Wednesday, May 3, 2017 10:48 AM
> To: Flashdown <flashdown at data-core.org>; Yuri Voinov <yvoinov at gmail.com>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] ssl bump and chrome 58
>
> [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]
>
> Hello all,
>
> The following steps give in Chrome 58 the "Your connection is not private" error with "NET::ERR_CERT_COMMON_NAME_INVALID" and "missing_subjectAltName" error:
>
> (peek-an-splice bumping squid 3.5.23_1 as in https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html)
>
> 1. Open Chrome 58+
> 2. Type some non existing domain name like "https://www.asdlajsdfl.com" (note the httpS:// schema) 3. See the missing_subjectAltName error.
>
> Correct behavior would be Squid generating faked certificate for the domain name "www.asdlajsdfl.com" *with* subjectAltName extension set to "www.asdlajsdfl.com".
>
> So question is - does anyone know if this is already existing bug or shall I file one?
> May be it is a feature?
>
> Best regards,
> Rafael
>
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Flashdown
> Sent: Thursday, April 27, 2017 6:42 PM
> To: Yuri Voinov <yvoinov at gmail.com>
> Cc: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] ssl bump and chrome 58
>
> I've tested the registry setting and it worked out. You can copy the below lines in a .reg file and execute it.
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
> "EnableCommonNameFallbackForLocalAnchors"=dword:00000001
>
>
> Best regards,
> Flashdown
>
> Am 2017-04-27 18:34, schrieb Flashdown:
>> Hello together,
>>
>> here is a workaround that you could use in the meanwhile.
>>
>> https://www.chromium.org/administrators/policy-list-3#EnableCommonName
>> FallbackForLocalAnchors
>>
>> Source:
>> https://www.chromium.org/administrators/policy-list-3#EnableCommonName
>> FallbackForLocalAnchors
>>>>>>> BEGIN
>> EnableCommonNameFallbackForLocalAnchors
>> Whether to allow certificates issued by local trust anchors that are
>> missing the subjectAlternativeName extension
>>
>> Data type:
>>      Boolean [Windows:REG_DWORD]
>> Windows registry location:
>>
>> Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchor
>> s
>> Mac/Linux preference name:
>>      EnableCommonNameFallbackForLocalAnchors
>> Android restriction name:
>>      EnableCommonNameFallbackForLocalAnchors
>> Supported on:
>>
>>          Google Chrome (Linux, Mac, Windows) since version 58 until
>> version 65
>>          Google Chrome OS (Google Chrome OS) since version 58 until
>> version 65
>>          Google Chrome (Android) since version 58 until version 65
>>
>> Supported features:
>>      Dynamic Policy Refresh: Yes, Per Profile: No
>> Description:
>>
>>      When this setting is enabled, Google Chrome will use the
>> commonName of a server certificate to match a hostname if the
>> certificate is missing a subjectAlternativeName extension, as long as
>> it successfully validates and chains to a locally-installed CA
>> certificates.
>>
>>      Note that this is not recommended, as this may allow bypassing the
>> nameConstraints extension that restricts the hostnames that a given
>> certificate can be authorized for.
>>
>>      If this policy is not set, or is set to false, server certificates
>> that lack a subjectAlternativeName extension containing either a DNS
>> name or IP address will not be trusted.
>> Example value:
>>      0x00000000 (Windows), false (Linux), false (Android), <false />
>> (Mac)
>> <<<<<<<<<<<< END
>>
>>
>>
>> Am 2017-04-27 18:16, schrieb Flashdown:
>>> Hello together,
>>>
>>> Suddenly I am facing the same issue when users Chrome has been
>>> updated to V58. I am running Squid 3.5.23.
>>>
>>> This is the reason:
>>> https://www.thesslstore.com/blog/security-changes-in-chrome-58/
>>> Short: Common Name Support Removed in Chrome 58 and Squid does not
>>> create certs with DNS-Alternatives names in it. Because of that it
>>> fails.
>>>
>>> Chrome says:
>>> 1. Subject Alternative Name Missing - The certificate for this site
>>> does not contain a Subject Alternative Name extension containing a
>>> domain name or IP address.
>>> 2. Certificate Error - There are issues with the site's certificate
>>> chain (net::ERR_CERT_COMMON_NAME_INVALID).
>>>
>>> Can we get Squid to add the DNS-Alternative Name to the generated
>>> certs? Since this is what I believe is now required in Chrome 58+
>>>
>>> Best regards,
>>> Enrico
>>>
>>>
>>> Am 2017-04-21 15:35, schrieb Yuri Voinov:
>>>> I see no problem with it on all five SSL Bump-aware servers with new
>>>> Chrome. So fare so good.
>>>>
>>>>
>>>> 21.04.2017 18:29, Marko Cupać пишет:
>>>>> Hi,
>>>>>
>>>>> I have squid setup with ssl bump which worked fine, but since I
>>>>> updated chrome to 58 it won't display any https sites, throwing
>>>>> NTT:ERR_CERT_COMMON_NAME_INVALID. https sites still work in
>>>>> previous chrome version, as well as in IE.
>>>>>
>>>>> Anything I can do in squid config to get ssl-bumped sites in chrome
>>>>> again?
>>>>>
>>>>> Thank you in advance,
>>>> _______________________________________________
>>>> squid-users mailing list
>>>> squid-users at lists.squid-cache.org
>>>> http://lists.squid-cache.org/listinfo/squid-users
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list