[squid-users] net::err_cert_common_name_invalid just in squid page with dstdomain block

Alex Rousskov rousskov at measurement-factory.com
Thu Dec 7 17:56:48 UTC 2017


On 12/07/2017 08:05 AM, erdosain9 wrote:
> Yes, Chrome tell this when i look the certificate
> 
> "The certificate for this site does not contain a Subject Alternative Name
> extension containing a domain name or IP address."

That is not the only error reported by your Chrome, but you can try to
solve one error at a time.

The first step is to understand which certificate the browser is talking
about. Is that a Squid-generated certificate or an origin server
certificate? If it is a Squid-generated certificate, does it mimic an
erroneous property of the origin server certificate? Or did Squid fail
to (or decided not to) mimic something?

The next step, for this specific error, would be to make sure that your
Squid version has as fix for Bug 4711:

> bug 4711: SubjectAlternativeNames is missing in some generated certificates
> 
> Squid may generate certificates which have a Common Name, but do not have
> a subjectAltName extension. For example when squid generated certificates
> do not mimic an origin certificate or when the certificate adaptation
> algorithm sslproxy_cert_adapt/setCommonName is used.
> 
> This is causes problems to some browsers, which validates a certificate using
> the SubjectAlternativeNames but ignore the CommonName field.
> 
> This patch fixes squid to always add a SubjectAlternativeNames extension in
> generated certificates which do not mimic an origin certificate.
> 
> Squid still will not add a subjectAltName extension when mimicking an origin
> server certificate, even if that origin server certificate does not include
> the subjectAltName extension. Such origin server may have problems when
> talking directly to browsers, and patched Squid is not trying to fix those
> problems.
> 
> This is a Measurement Factory project
> 
> Fixes: http://bugs.squid-cache.org/show_bug.cgi?id=4711 fixed
> Bzr-Reference: master r15131

If your Squid does not have the above fix, then it might explain the
second problem reported by Chrome as well, provided the origin server
certificate lacks any CN for Squid to mimic.


> So, my certificate does not have a Subject Alternative Name.
> But, this is not a problem with Firefox.

Yes, different browsers (and different browser versions) may impose
different requirements on certificates (and other traffic parameters).

Alex.


More information about the squid-users mailing list