We'd love to hear about it! Click here to go to the product suggestion community
After Google has updated Chrome, we now have problems accessing websites with SSL.
HTTPS Scanning is enabled on the Sophos UTM and the problem seems to be that Chrome no longer accepts an empty DNS name in the SSL certificate presented in the browser.
Does anyone have a solution to this?
I guess that the best solution would be for Sophos to change the way they generate the "Man in the middle" certificate so that the website URL is listed in the DNS (or SAN) in the certificate.
In reply to Chris Hill:
Agreed - but probably not for the same reason you are thinking. I had it set to decrypt and scan all sites. I am familiar with HTTPS scanning on the UTM. Nearly all of the sites I hit delivered the UTM certificate to Chrome. This one that you posted did not. I checked the logs, and there were no exceptions set on the site at all. I am merely pointing out that just because you tell the UTM to decrypt and scan everything, it does not mean that it does. Pinned certificates can prevent the scanning by the UTM and will typically fail the communication as well because of a certificate mismatch between what it knows it should see and what it does see.
Google ships Chrome with some certs built in, and will always use them. Whether this symantec cert is or is not included, I don't know.
In reply to Aditya Patel:
I have updated to 9.5, re-issued, and deployed the UTM root certificate. Looking at the certificate I am seeing for the SAN is IP Address=127.0.0.1 is this correct? The old certificate had the same thing.
In reply to JimKoerner:
Jim, that's perfectly normal. What matters is the SAN on the certificates generated by the UTM on specific sites e.g www.google.com. These are the ones that should now be correct.
Have reported the issue accessing the following sites with Decrypt & Scan enabled to Sophos:
Ticket 7273822. I'll feed back here if others experience the same problem.
I see that now. Like now the SAN for the forum site shows correctly as DNS Name=community.sophos.com.
In reply to Long Road SFC ITServices:
For Macs you can type the following into Terminal...
defaults write com.google.Chrome EnableCommonNameFallbackForLocalAnchors -bool true