3.5 and above have "server-first" only for backward compatibility. 27.04.2017 22:50, William Lima пишет: > Hi, > > The problem occurs due to some ssl_bump directive actions, so Squid cannot get all information (X.509 v3 extensions) to mimic. "ssl_bump server-first all" should work. > > William Lima > > ----- Original Message ----- > From: "Flashdown" <flashdown@xxxxxxxxxxxxx> > To: "Yuri Voinov" <yvoinov@xxxxxxxxx> > Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx > Sent: Thursday, April 27, 2017 1:41:48 PM > Subject: Re: ssl bump and chrome 58 > > I've tested the registry setting and it worked out. You can copy the > below lines in a .reg file and execute it. > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] > "EnableCommonNameFallbackForLocalAnchors"=dword:00000001 > > > Best regards, > Flashdown > > Am 2017-04-27 18:34, schrieb Flashdown: >> Hello together, >> >> here is a workaround that you could use in the meanwhile. >> >> https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors >> >> Source: >> https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors >>>>>>> BEGIN >> EnableCommonNameFallbackForLocalAnchors >> Whether to allow certificates issued by local trust anchors that are >> missing the subjectAlternativeName extension >> >> Data type: >> Boolean [Windows:REG_DWORD] >> Windows registry location: >> >> Software\Policies\Google\Chrome\EnableCommonNameFallbackForLocalAnchors >> Mac/Linux preference name: >> EnableCommonNameFallbackForLocalAnchors >> Android restriction name: >> EnableCommonNameFallbackForLocalAnchors >> Supported on: >> >> Google Chrome (Linux, Mac, Windows) since version 58 until >> version 65 >> Google Chrome OS (Google Chrome OS) since version 58 until >> version 65 >> Google Chrome (Android) since version 58 until version 65 >> >> Supported features: >> Dynamic Policy Refresh: Yes, Per Profile: No >> Description: >> >> When this setting is enabled, Google Chrome will use the >> commonName of a server certificate to match a hostname if the >> certificate is missing a subjectAlternativeName extension, as long as >> it successfully validates and chains to a locally-installed CA >> certificates. >> >> Note that this is not recommended, as this may allow bypassing the >> nameConstraints extension that restricts the hostnames that a given >> certificate can be authorized for. >> >> If this policy is not set, or is set to false, server certificates >> that lack a subjectAlternativeName extension containing either a DNS >> name or IP address will not be trusted. >> Example value: >> 0x00000000 (Windows), false (Linux), false (Android), <false /> >> (Mac) >> <<<<<<<<<<<< END >> >> >> >> Am 2017-04-27 18:16, schrieb Flashdown: >>> Hello together, >>> >>> Suddenly I am facing the same issue when users Chrome has been updated >>> to V58. I am running Squid 3.5.23. >>> >>> This is the reason: >>> https://www.thesslstore.com/blog/security-changes-in-chrome-58/ >>> Short: Common Name Support Removed in Chrome 58 and Squid does not >>> create certs with DNS-Alternatives names in it. Because of that it >>> fails. >>> >>> Chrome says: >>> 1. Subject Alternative Name Missing - The certificate for this site >>> does not contain a Subject Alternative Name extension containing a >>> domain name or IP address. >>> 2. Certificate Error - There are issues with the site's certificate >>> chain (net::ERR_CERT_COMMON_NAME_INVALID). >>> >>> Can we get Squid to add the DNS-Alternative Name to the generated >>> certs? Since this is what I believe is now required in Chrome 58+ >>> >>> Best regards, >>> Enrico >>> >>> >>> Am 2017-04-21 15:35, schrieb Yuri Voinov: >>>> I see no problem with it on all five SSL Bump-aware servers with new >>>> Chrome. So fare so good. >>>> >>>> >>>> 21.04.2017 18:29, Marko Cupać пишет: >>>>> Hi, >>>>> >>>>> I have squid setup with ssl bump which worked fine, but since I >>>>> updated >>>>> chrome to 58 it won't display any https sites, throwing >>>>> NTT:ERR_CERT_COMMON_NAME_INVALID. https sites still work in previous >>>>> chrome version, as well as in IE. >>>>> >>>>> Anything I can do in squid config to get ssl-bumped sites in chrome >>>>> again? >>>>> >>>>> Thank you in advance, >>>> _______________________________________________ >>>> squid-users mailing list >>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>> http://lists.squid-cache.org/listinfo/squid-users >>> _______________________________________________ >>> squid-users mailing list >>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>> http://lists.squid-cache.org/listinfo/squid-users >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -- Bugs to the Future
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
