PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
After Google has updated Chrome, we now have problems accessing websites with SSL.
HTTPS Scanning is enabled on the Sophos UTM and the problem seems to be that Chrome no longer accepts an empty DNS name in the SSL certificate presented in the browser.
Does anyone have a solution to this?
I guess that the best solution would be for Sophos to change the way they generate the "Man in the middle" certificate so that the website URL is listed in the DNS (or SAN) in the certificate.
Same here. Issue occurs after Chrome 58 is installed.
Here are the details of the Chrome changes (which apparently are identical to changes in Firefox 48): https://bugs.chromium.org/p/chromium/issues/detail?id=700595&desc=2
Sophos need to fix this.
In reply to Chris Hill:
(It's possible to set the 'Whether to allow certificates issued by local trust anchors that are missing the subjectAlternativeName extension' policy using the ADM/ADMX templates from https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip which will set EnableCommonNameFallbackForLocalAnchors in the registry to work around this for now - however be aware this may stop working in Google Chrome 65 - again, Sophos need to fix)
Thank you for your feedback. Nice to know that I'm not alone! :)
I have submitted a support ticket to Sophos support regarding this issue. Hope to hear from the soon!
I will keep you posted!
Kind regardsKarsten Stolten
Had a reply for a ticket I opened this morning for the same thing
I apologize for all the inconvenience caused to you. I am sorry to inform you that many customers are facing this issue due to the latest update of Chrome browser. And our development team is working on this issue to resolve this on earliest basis. The workaround for now is to use any other browser or to switch off decrypt and scan for web traffic for now.
Hope this addresses your query.
The new version of Chrome V58 will no longer accept certificates that do not have a subject alternate name. Chrome is following RFC 2818 for this change. Chrome V58 has now gone GA .
This could affect the Sophos Web appliance and Sophos UTM, which both use https scanning. The site generated certificate that we give back in these cases does not have a subject alternate name, meaning Chrome will reject the certificate and block the site
There are 3 options you may opt for.
Option 1: Disable HTTPS scanning untill the issue is fixed.
Option 2: Use another Web Browser .
Option 3 *preferred: setting this GPO to ENABLED https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors
Our Dev team are working on this issue should be resolved soon .
In reply to Aditya Patel:
Do you have any experience applying that GPO? I must be missing something. I have the policies in GP Management Editor, but I cannot find the policy in question anywhere.
In reply to iTechThingsSeriously:
I had the same issue. Took me a while to realise that I had to update the ASMX files with the new version (the files in the link were updated for the v58 release on 18th April). Update these and the entry is under User Admin Templates > Google > Chrome as 'Whether to allow certificates issued by local trust anchors that are missing the subjectAlternativeName extension'.
In reply to Infrastructure Team:
Thanks, I spent a good 10 minutes looking for that and had just given up!
Thank you for the info!
Looking forward to the resolution.
Thanks Aditya for your post. Just to confirm that according to https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/ the EnableCommonNameFallbackForLocalAnchors setting will stop working in a later version of Chrome (quite a few months away, but still).
Hoping for a quick resolution for this from Sophos so that this isn't necessary any more.
Any update regarding issue ?
Thank you very much for pointing that out!
Hello, I'm just wondering if there is any news on when we might see an update to resolve this issue?
As this is now starting to affect our organisation as well. We managed to stop the updates before our PCs were affected but a number of our Macs have already updated to Chrome 58 and can not get on Google websites and services.
Unfortunately Macs cannot use GPOs, so we have had to advise users to switch to Safari for the time being, but it would be better if Sophos could fix the issue with HTTPS certificate generation on their UTM system.
Dan Jackson (Lead ITServices Technician)
Long Road Sixth Form College
In reply to Long Road SFC ITServices:
We have resolved this issue with our latest update
File size: ~4MB