[squid-users] ssl bump and chrome 58

Rafael Akchurin rafael.akchurin at diladele.com
Wed May 3 09:05:44 UTC 2017


Sorry disregard - should practice my  google fu better - see http://bugs.squid-cache.org/show_bug.cgi?id=4711

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Rafael Akchurin
Sent: Wednesday, May 3, 2017 10:48 AM
To: Flashdown <flashdown at data-core.org>; Yuri Voinov <yvoinov at gmail.com>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] ssl bump and chrome 58

[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]

Hello all,

The following steps give in Chrome 58 the "Your connection is not private" error with "NET::ERR_CERT_COMMON_NAME_INVALID" and "missing_subjectAltName" error:

(peek-an-splice bumping squid 3.5.23_1 as in https://docs.diladele.com/howtos/build_squid_ubuntu16/index.html)

1. Open Chrome 58+
2. Type some non existing domain name like "https://www.asdlajsdfl.com" (note the httpS:// schema) 3. See the missing_subjectAltName error.

Correct behavior would be Squid generating faked certificate for the domain name "www.asdlajsdfl.com" *with* subjectAltName extension set to "www.asdlajsdfl.com".

So question is - does anyone know if this is already existing bug or shall I file one?
May be it is a feature?

Best regards,
Rafael


-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Flashdown
Sent: Thursday, April 27, 2017 6:42 PM
To: Yuri Voinov <yvoinov at gmail.com>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] ssl bump and chrome 58

I've tested the registry setting and it worked out. You can copy the below lines in a .reg file and execute it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
"EnableCommonNameFallbackForLocalAnchors"=dword:00000001


Best regards,
Flashdown

Am 2017-04-27 18:34, schrieb Flashdown:
> Hello together,
>
> here is a workaround that you could use in the meanwhile.
>
> https://www.chromium.org/administrators/policy-list-3#EnableCommonName
> FallbackForLocalAnchors
>
> Source:
> https://www.chromium.org/administrators/policy-list-3#EnableCommonName
> FallbackForLocalAnchors
>>>>>> BEGIN
> EnableCommonNameFallbackForLocalAnchors
> Whether to allow certificates issued by local trust anchors that are 
> missing the subjectAlternativeName extension
>
> Data type:
>     Boolean [Windows:REG_DWORD]
> Windows registry location:
>
> Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchor
> s
> Mac/Linux preference name:
>     EnableCommonNameFallbackForLocalAnchors
> Android restriction name:
>     EnableCommonNameFallbackForLocalAnchors
> Supported on:
>
>         Google Chrome (Linux, Mac, Windows) since version 58 until 
> version 65
>         Google Chrome OS (Google Chrome OS) since version 58 until 
> version 65
>         Google Chrome (Android) since version 58 until version 65
>
> Supported features:
>     Dynamic Policy Refresh: Yes, Per Profile: No
> Description:
>
>     When this setting is enabled, Google Chrome will use the 
> commonName of a server certificate to match a hostname if the 
> certificate is missing a subjectAlternativeName extension, as long as 
> it successfully validates and chains to a locally-installed CA 
> certificates.
>
>     Note that this is not recommended, as this may allow bypassing the 
> nameConstraints extension that restricts the hostnames that a given 
> certificate can be authorized for.
>
>     If this policy is not set, or is set to false, server certificates 
> that lack a subjectAlternativeName extension containing either a DNS 
> name or IP address will not be trusted.
> Example value:
>     0x00000000 (Windows), false (Linux), false (Android), <false />
> (Mac)
> <<<<<<<<<<<< END
>
>
>
> Am 2017-04-27 18:16, schrieb Flashdown:
>> Hello together,
>>
>> Suddenly I am facing the same issue when users Chrome has been 
>> updated to V58. I am running Squid 3.5.23.
>>
>> This is the reason:
>> https://www.thesslstore.com/blog/security-changes-in-chrome-58/
>> Short: Common Name Support Removed in Chrome 58 and Squid does not 
>> create certs with DNS-Alternatives names in it. Because of that it 
>> fails.
>>
>> Chrome says:
>> 1. Subject Alternative Name Missing - The certificate for this site 
>> does not contain a Subject Alternative Name extension containing a 
>> domain name or IP address.
>> 2. Certificate Error - There are issues with the site's certificate 
>> chain (net::ERR_CERT_COMMON_NAME_INVALID).
>>
>> Can we get Squid to add the DNS-Alternative Name to the generated 
>> certs? Since this is what I believe is now required in Chrome 58+
>>
>> Best regards,
>> Enrico
>>
>>
>> Am 2017-04-21 15:35, schrieb Yuri Voinov:
>>> I see no problem with it on all five SSL Bump-aware servers with new 
>>> Chrome. So fare so good.
>>>
>>>
>>> 21.04.2017 18:29, Marko Cupać пишет:
>>>> Hi,
>>>>
>>>> I have squid setup with ssl bump which worked fine, but since I 
>>>> updated chrome to 58 it won't display any https sites, throwing 
>>>> NTT:ERR_CERT_COMMON_NAME_INVALID. https sites still work in 
>>>> previous chrome version, as well as in IE.
>>>>
>>>> Anything I can do in squid config to get ssl-bumped sites in chrome 
>>>> again?
>>>>
>>>> Thank you in advance,
>>>
>>> _______________________________________________
>>> squid-users mailing list
>>> squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list