Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 12439 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Privacy Error - Chrome v60

Rick Leslie

I was not getting these issues until Chrome updated to version 60. It seems that it now requires a S.A.N. to be set.

Will this be addressed in the next firmware update?

Is there anything I can do to stop getting these warnings?

In trying to sort the error out I have recreated the Default Cert and set the CN to the IP of the unit, Regenerated the CA Cert and installed the new Default and CA certs from the XG firewall into both Windows 10 & Chrome.



This thread was automatically locked due to age.
  • 0

    Hi,

    There was a reported issue in Chrome v58, please verify these steps and update us.

    The alternative provided by Chromium discussion group:

    https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

    Please note that below steps are the workaround and it’s not the final solution.

    System admin can edit the registry value local system to allow the deprecated certificate due to CN (Common Name) error.

    Note: You can provide this command to system admin and kindly refrain yourself from making any changes to user’s system.

    Prior to making any changes on user system’s registry please take the back up of existing registry via below link.

    https://support.microsoft.com/en-in/help/322756/how-to-back-up-and-restore-the-registry-in-windows

    If admin is not able to find the specific location (i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome) then he can take the backup of entire folder; Here (HKEY_LOCAL_MACHINE).

    Use below command in CMD (where CMD must be opened with ‘Run as administrator’ privilege) and enter the command:

    “ reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1 

    Please note that if the local system is connected with Domain then there is a possibility that applied changes may be overridden with Domain policy. So kindly verify this instance on a system, which must not be connected to a domain, once it's confirmed you can update the registry value via Domain through GPO Update policy.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung,

    Thank you for your lengthy response.

    I have added the key to the registry on the machine I use to administer the sophos box but haven't done a restart to reload the registry yet. It takes about 20 mins to do a restart on this system. I'll restart it when I finish today and will see the result tomorrow... I'll let you know either way.

    Regards,

    Rick

     

    Self employer computer technician (mostly domestic) and photographer.

    Language: English English (UK) - No, NOT (U.S.).
    Why is it that the IT world assumes that if you speak English then it is American, not English.
    English did not come from America, that's why it's not called American!!!

  • 0 in reply to Rick Leslie

    Hi sachingurung,

    I got the initial warning again after the regedit and restart but the choice to ignore the warning seems to have stuck, so I am not getting it every time I load the login page.

    I am still getting the crossed out https and being warned that the connection is "Not secure". Chrome shows each of the certs as "This certificate is OK." when I view them though and websites that I visit are shown as OK.

    One thing I notice is that when I visit Google.co.uk, microsoft.com, sophos.com and others that the certificate path does not include the Sophos XS's certs. When I visit, for example, the sites I manage and most 'less well known' sites the certificate path starts with the Sophos CA Cert.

    Does that mean that the 'Decrypt and Scan' rule is not being honoured by the firewall on those 'well known' sites?

     

    Self employer computer technician (mostly domestic) and photographer.

    Language: English English (UK) - No, NOT (U.S.).
    Why is it that the IT world assumes that if you speak English then it is American, not English.
    English did not come from America, that's why it's not called American!!!

  • 0 in reply to Rick Leslie

    Refer, Sophos Firewall: SSL CA Certificate Installation Guide and try the Window's method to install the CA from MMC. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung,

    I tried both methods already. I did the mmc method, as I usually would for certs then the browser method as I can't remember which browsers use the windowz cert store and which don't. I always use both methods, just to be sure :-)

    I haven't had a chance to test it on the Macs here yet.

    I'm going to be away from here for the next few days but if you think of anything then I will see it when I get back... Thanks

     

    Self employer computer technician (mostly domestic) and photographer.

    Language: English English (UK) - No, NOT (U.S.).
    Why is it that the IT world assumes that if you speak English then it is American, not English.
    English did not come from America, that's why it's not called American!!!

Unfiltered HTML