Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate

Eliezer Croitoru
Hey List,

Since one of the subjects is SSL and specifically SSL-BUMP I noticed a
change today and found out that:
For Chrome 58 and later, only the subjectAlternativeName extension, not
commonName, is used to match the domain name and site certificate.
 If the certificate doesn’t have the correct subjectAlternativeName
extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them
know that the connection isn’t private. 

Google source:
https://support.google.com/chrome/a/answer/7391219?hl=en

So if someone will see something weird... it might not even be related
directly to squid!

Regards,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate

Enrico Heine
Dear Eliezer,

Please have look into http://bugs.squid-cache.org/show_bug.cgi?id=4711
the patches for this issue are already done. Many thx to Christos
Tsantilas!


@Amos: I hope you consider adding the patch to Squid 3.5 as well, since
for now it just has been added to Squid 4, maybe the reason is a testing
period or something similar. Would be nice to get an update like will be
added into upcoming release 3.5.xx :)

Am 2017-05-18 11:05, schrieb Eliezer  Croitoru:

> Hey List,
>
> Since one of the subjects is SSL and specifically SSL-BUMP I noticed a
> change today and found out that:
> For Chrome 58 and later, only the subjectAlternativeName extension, not
> commonName, is used to match the domain name and site certificate.
>  If the certificate doesn’t have the correct subjectAlternativeName
> extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting
> them
> know that the connection isn’t private. 
>
> Google source:
> https://support.google.com/chrome/a/answer/7391219?hl=en
>
> So if someone will see something weird... it might not even be related
> directly to squid!
>
> Regards,
> Eliezer
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Chrome 58+: only the subjectAlternativeName extension, not commonName, is used to match the domain name and site certificate

Amos Jeffries
Administrator
On 18/05/17 21:41, Flashdown wrote:

> Dear Eliezer,
>
> Please have look into http://bugs.squid-cache.org/show_bug.cgi?id=4711
> the patches for this issue are already done. Many thx to Christos
> Tsantilas!
>
>
> @Amos: I hope you consider adding the patch to Squid 3.5 as well,
> since for now it just has been added to Squid 4, maybe the reason is a
> testing period or something similar. Would be nice to get an update
> like will be added into upcoming release 3.5.xx :)
>

Aye, its on the list just waiting for me to get time for backporting.
Since Christos has provided patches already that has good chances of
happening next week.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users