This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS scanning Web Protection SSL error ERR_CERT_COMMON_NAME_INVALID

Hi

After Google has updated Chrome, we now have problems accessing websites with SSL.

HTTPS Scanning is enabled on the Sophos UTM and the problem seems to be that Chrome no longer accepts an empty DNS name in the SSL certificate presented in the browser.

Does anyone have a solution to this?

I guess that the best solution would be for Sophos to change the way they generate the "Man in the middle" certificate so that the website URL is listed in the DNS (or SAN) in the certificate.

Anyone?

Kind regards

Karsten Stolten



This thread was automatically locked due to age.
Parents Reply
  • Hi, under 9.413004 after regenerating the Signing CA certificate we find the issue is resolved for most websites; however we are still experiencing problems with some websites using 'wildcard' certificates, for example:

    https://aaf1a18515da0e792f78-c27fdabe952dfc357fe25ebf5c8897ee.ssl.cf5.rackcdn.com/2066/blank-slate.style.css?v=1494272379000

    The 'Subject Alternate Name' for the original certificate on this website is: *.ssl.cf5.rackcdn.com. This works fine when accessed with 'Decrypt and Scan' disabled.

    However when accessed via our Sophos UTM, the Sophos certificate generated has a 'Subject Alternate Name' of 'a534b3cb973e1c6f094b-fd0bc916f1313f032c809744eb469080.ssl.cf5.rackcdn.com'

    (Please note that this is *not* a wildcard certificate, and the hostname is different to the one through which the site is accessed.)

    We get predictable SSL errors as a result. Please can others investigate so that I can report to Sophos?

Children