[squid-users] Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate

Flashdown flashdown at data-core.org
Thu May 18 09:41:38 UTC 2017


Dear Eliezer,

Please have look into http://bugs.squid-cache.org/show_bug.cgi?id=4711
the patches for this issue are already done. Many thx to Christos 
Tsantilas!


@Amos: I hope you consider adding the patch to Squid 3.5 as well, since 
for now it just has been added to Squid 4, maybe the reason is a testing 
period or something similar. Would be nice to get an update like will be 
added into upcoming release 3.5.xx :)

Am 2017-05-18 11:05, schrieb Eliezer  Croitoru:
> Hey List,
> 
> Since one of the subjects is SSL and specifically SSL-BUMP I noticed a
> change today and found out that:
> For Chrome 58 and later, only the subjectAlternativeName extension, not
> commonName, is used to match the domain name and site certificate.
>  If the certificate doesn’t have the correct subjectAlternativeName
> extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting 
> them
> know that the connection isn’t private. 
> 
> Google source:
> https://support.google.com/chrome/a/answer/7391219?hl=en
> 
> So if someone will see something weird... it might not even be related
> directly to squid!
> 
> Regards,
> Eliezer
> 
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
> 
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list