HTTPS scanning Web Protection SSL error ERR_CERT_COMMON_NAME_INVALID

Question

Hi 
 After Google has updated Chrome, we now have problems accessing websites with SSL. 
 HTTPS Scanning is enabled on the Sophos UTM and the problem seems to be that Chrome no longer accepts an empty DNS name in the SSL certificate presented in the browser. 
 Does anyone have a solution to this? 
 I guess that the best solution would be for Sophos to change the way they generate the "Man in the middle" certificate so that the website URL is listed in the DNS (or SAN) in the certificate. 
 Anyone? 
 Kind regards 
 Karsten Stolten

Aditya Patel · Accepted Answer

HI KarstenStolten, 
 The new version of Chrome V58 will no longer accept certificates that do not have a subject alternate name. Chrome is following RFC 2818 for this change. Chrome V58 has now gone GA . 
 This could affect the Sophos Web appliance and Sophos UTM, which both use https scanning. The site generated certificate that we give back in these cases does not have a subject alternate name, meaning Chrome will reject the certificate and block the site 
 There are 3 options you may opt for. 
 Option 1: Disable HTTPS scanning untill the issue is fixed. 
 Option 2: Use another Web Browser . 
 Option 3 *preferred: setting this GPO to ENABLED https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors 
 Our Dev team are working on this issue should be resolved soon .

Infrastructure Team · Answer

I had the same issue. Took me a while to realise that I had to update the ASMX files with the new version (the files in the link were updated for the v58 release on 18th April). Update these and the entry is under User Admin Templates > Google > Chrome as 'Whether to allow certificates issued by local trust anchors that are missing the subjectAlternativeName extension'.

Aditya Patel · Answer

Hi All, 
 We have resolved this issue with our latest update 
 UTM 9.413004 
 ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.412002-413004.tgz.gpg 
 MD5: 753ff750ef6785f3f7fa2c97ed9da42c 
 File size: ~4MB

Chris Hill · Answer

Jim, that's perfectly normal. What matters is the SAN on the certificates generated by the UTM on specific sites e.g www.google.com. These are the ones that should now be correct.

Aditya Patel · Answer

Sorry for the delay , 
 As you are aware of the issue with Chrome V58, the workaround is provided by enabling the fallback option. 
 
 Requires: Administrator CMD. 
 
 reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1