Chrome 58+, ERR_CERT_COMMON_NAME_INVALID and missing_subjAltName

After Chrome 58+ started to check for presence of subjAltName extension in SSL certificates presented by the remote sites, it turned out that the order of sslbump directives that Admin UI generates is not completely incorrect. If you have blocked in Web Safety, then accessing in Chrome 58+ results into ERR_CERT_COMMON_NAME_INVALID error message instead of the expected access forbidden page.

Consider the following.

* We have blocked access to in Default Policy / Block by Domain.
* User types into address bar of the browser. Note the httpS:// schema!
* Browser tries to establish CONNECT tunnel to through Squid proxy.
* Squid forwards this request to ICAP web filter.
* Web Safety instructs Squid to decrypt the HTTPS connection (to be able to show the blocked page later).
* Squid mimicks the SSL certificate of without contacting the actual YouTube. Thus mimicked certificate does not have subjAltName extension included.
* Chrome 58+ shows “Your connection is not private” message.

This happens because by default Squid does not include subjAltName extension into SSL certificates generated without contacting origin servers. See bug (will be fixed in Squid version 3.5.25+).

To fix this issue we need to reorder the SSL bump directives that Web Safety generates. Continue reading at

About sichent

This entry was posted in Linux. Bookmark the permalink.