This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS scanning Web Protection SSL error ERR_CERT_COMMON_NAME_INVALID

Hi

After Google has updated Chrome, we now have problems accessing websites with SSL.

HTTPS Scanning is enabled on the Sophos UTM and the problem seems to be that Chrome no longer accepts an empty DNS name in the SSL certificate presented in the browser.

Does anyone have a solution to this?

I guess that the best solution would be for Sophos to change the way they generate the "Man in the middle" certificate so that the website URL is listed in the DNS (or SAN) in the certificate.

Anyone?

Kind regards

Karsten Stolten



This thread was automatically locked due to age.
Parents
  • HI KarstenStolten, 

    The new version of Chrome V58 will no longer accept certificates that do not have a subject alternate name.  Chrome is following RFC 2818 for this change.  Chrome V58 has now gone GA .

    This could affect the Sophos Web appliance and Sophos UTM, which both use https scanning. The site generated certificate that we give back in these cases does not have a subject alternate name, meaning Chrome will reject the certificate and block the site

    There are 3 options you may opt for. 

    Option 1: Disable HTTPS scanning untill the issue is fixed. 

    Option 2: Use another Web Browser . 

    Option 3 *preferred: setting this GPO to ENABLED https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors 

    Our Dev team are working on this issue should be resolved soon . 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • HI KarstenStolten, 

    The new version of Chrome V58 will no longer accept certificates that do not have a subject alternate name.  Chrome is following RFC 2818 for this change.  Chrome V58 has now gone GA .

    This could affect the Sophos Web appliance and Sophos UTM, which both use https scanning. The site generated certificate that we give back in these cases does not have a subject alternate name, meaning Chrome will reject the certificate and block the site

    There are 3 options you may opt for. 

    Option 1: Disable HTTPS scanning untill the issue is fixed. 

    Option 2: Use another Web Browser . 

    Option 3 *preferred: setting this GPO to ENABLED https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors 

    Our Dev team are working on this issue should be resolved soon . 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children