[squid-users] ssl bump and chrome 58

Flashdown flashdown at data-core.org
Thu Apr 27 16:34:38 UTC 2017 

Hello together,

here is a workaround that you could use in the meanwhile.

https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

Source: 
https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors
>>>>> BEGIN
EnableCommonNameFallbackForLocalAnchors
Whether to allow certificates issued by local trust anchors that are 
missing the subjectAlternativeName extension

Data type:
     Boolean [Windows:REG_DWORD]
Windows registry location:
     
Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchors
Mac/Linux preference name:
     EnableCommonNameFallbackForLocalAnchors
Android restriction name:
     EnableCommonNameFallbackForLocalAnchors
Supported on:

         Google Chrome (Linux, Mac, Windows) since version 58 until 
version 65
         Google Chrome OS (Google Chrome OS) since version 58 until 
version 65
         Google Chrome (Android) since version 58 until version 65

Supported features:
     Dynamic Policy Refresh: Yes, Per Profile: No
Description:

     When this setting is enabled, Google Chrome will use the commonName 
of a server certificate to match a hostname if the certificate is 
missing a subjectAlternativeName extension, as long as it successfully 
validates and chains to a locally-installed CA certificates.

     Note that this is not recommended, as this may allow bypassing the 
nameConstraints extension that restricts the hostnames that a given 
certificate can be authorized for.

     If this policy is not set, or is set to false, server certificates 
that lack a subjectAlternativeName extension containing either a DNS 
name or IP address will not be trusted.
Example value:
     0x00000000 (Windows), false (Linux), false (Android), <false /> 
(Mac)
<<<<<<<<<<<< END



Am 2017-04-27 18:16, schrieb Flashdown:
> Hello together,
> 
> Suddenly I am facing the same issue when users Chrome has been updated
> to V58. I am running Squid 3.5.23.
> 
> This is the reason:
> https://www.thesslstore.com/blog/security-changes-in-chrome-58/
> Short: Common Name Support Removed in Chrome 58 and Squid does not
> create certs with DNS-Alternatives names in it. Because of that it
> fails.
> 
> Chrome says:
> 1. Subject Alternative Name Missing - The certificate for this site
> does not contain a Subject Alternative Name extension containing a
> domain name or IP address.
> 2. Certificate Error - There are issues with the site's certificate
> chain (net::ERR_CERT_COMMON_NAME_INVALID).
> 
> Can we get Squid to add the DNS-Alternative Name to the generated
> certs? Since this is what I believe is now required in Chrome 58+
> 
> Best regards,
> Enrico
> 
> 
> Am 2017-04-21 15:35, schrieb Yuri Voinov:
>> I see no problem with it on all five SSL Bump-aware servers with new
>> Chrome. So fare so good.
>> 
>> 
>> 21.04.2017 18:29, Marko Cupać пишет:
>>> Hi,
>>> 
>>> I have squid setup with ssl bump which worked fine, but since I 
>>> updated
>>> chrome to 58 it won't display any https sites, throwing
>>> NTT:ERR_CERT_COMMON_NAME_INVALID. https sites still work in previous
>>> chrome version, as well as in IE.
>>> 
>>> Anything I can do in squid config to get ssl-bumped sites in chrome
>>> again?
>>> 
>>> Thank you in advance,
>> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list