This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS scanning Web Protection SSL error ERR_CERT_COMMON_NAME_INVALID

Hi

After Google has updated Chrome, we now have problems accessing websites with SSL.

HTTPS Scanning is enabled on the Sophos UTM and the problem seems to be that Chrome no longer accepts an empty DNS name in the SSL certificate presented in the browser.

Does anyone have a solution to this?

I guess that the best solution would be for Sophos to change the way they generate the "Man in the middle" certificate so that the website URL is listed in the DNS (or SAN) in the certificate.

Anyone?

Kind regards

Karsten Stolten



This thread was automatically locked due to age.
Parents
  • HI KarstenStolten, 

    The new version of Chrome V58 will no longer accept certificates that do not have a subject alternate name.  Chrome is following RFC 2818 for this change.  Chrome V58 has now gone GA .

    This could affect the Sophos Web appliance and Sophos UTM, which both use https scanning. The site generated certificate that we give back in these cases does not have a subject alternate name, meaning Chrome will reject the certificate and block the site

    There are 3 options you may opt for. 

    Option 1: Disable HTTPS scanning untill the issue is fixed. 

    Option 2: Use another Web Browser . 

    Option 3 *preferred: setting this GPO to ENABLED https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors 

    Our Dev team are working on this issue should be resolved soon . 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello, I'm just wondering if there is any news on when we might see an update to resolve this issue?

    As this is now starting to affect our organisation as well. We managed to stop the updates before our PCs were affected but a number of our Macs have already updated to Chrome 58 and can not get on Google websites and services.

    Unfortunately Macs cannot use GPOs, so we have had to advise users to switch to Safari for the time being, but it would be better if Sophos could fix the issue with HTTPS certificate generation on their UTM system.

    Thanks,

    Dan Jackson (Lead ITServices Technician)

    Long Road Sixth Form College

    Cambridge, UK.

  • Actually - looks like doing that does make it work - certainly on a local test.

    Probably stupid of me to not have thought of that, but I don't actually think it's mentioned anywhere as being needed.

     

     

     

     

  • Hi, under 9.413004 after regenerating the Signing CA certificate we find the issue is resolved for most websites; however we are still experiencing problems with some websites using 'wildcard' certificates, for example:

    https://aaf1a18515da0e792f78-c27fdabe952dfc357fe25ebf5c8897ee.ssl.cf5.rackcdn.com/2066/blank-slate.style.css?v=1494272379000

    The 'Subject Alternate Name' for the original certificate on this website is: *.ssl.cf5.rackcdn.com. This works fine when accessed with 'Decrypt and Scan' disabled.

    However when accessed via our Sophos UTM, the Sophos certificate generated has a 'Subject Alternate Name' of 'a534b3cb973e1c6f094b-fd0bc916f1313f032c809744eb469080.ssl.cf5.rackcdn.com'

    (Please note that this is *not* a wildcard certificate, and the hostname is different to the one through which the site is accessed.)

    We get predictable SSL errors as a result. Please can others investigate so that I can report to Sophos?

  • Sorry for the delay , 

    As you are aware of the issue with Chrome V58, the workaround is provided by enabling the fallback option.

     

    Requires: Administrator CMD.

     

    reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1

     

                                                                                                                         

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Aditya,

    No, I am reporting another problem when firmware 9.413004 is installed (which resolves the Chrome V58 issue).

    I get the following error in Google Chrome when attempting to access the site above:

    This server could not prove that it is aaf1a18515da0e792f78-c27fdabe952dfc357fe25ebf5c8897ee.ssl.cf5.rackcdn.com; its security certificate is from a534b3cb973e1c6f094b-fd0bc916f1313f032c809744eb469080.ssl.cf5.rackcdn.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

    Running reg add HKLM\Software\Policies\Google\Chrome /v EnableCommonNameFallbackForLocalAnchors /t REG_DWORD /d 1 as Administrator does not resolve this issue.

    If you attempt to visit the following site under 9.413004 with Decrypt and Scan enabled and EnableCommonNameFallbackForLocalAnchors enabled you should get the same error:

    https://aaf1a18515da0e792f78-c27fdabe952dfc357fe25ebf5c8897ee.ssl.cf5.rackcdn.com/2066/blank-slate.style.css?v=1494272379000

    Only workaround I can find at present is to disable Decrypt and Scan.

  • It is entirely possible they are pinning the certificate, which will cause the SSL decryption to fail.  That is what the error sounds like to me.  That being said, it is not failing for me.  I can hit the site, and it is reporting the certificate itself, not the cert for my UTM.  That is with decrypt and scan enabled.

  • Hello,

    did I get this right, we have to re-issue and deploy the UTM root certificate once again to make the fix with the latest UTM version work?

    BR,

    HP

  • Hi Darrelr,

    If you're getting the certificate itself, and not the cert from your UTM, you're not decrypting and scanning that site - do you have 'Decrypt and scan the following categories' enabled?

  • Agreed - but probably not for the same reason you are thinking.  I had it set to decrypt and scan all sites.  I am familiar with HTTPS scanning on the UTM.  Nearly all of the sites I hit delivered the UTM certificate to Chrome.  This one that you posted did not.  I checked the logs, and there were no exceptions set on the site at all.  I am merely pointing out that just because you tell the UTM to decrypt and scan everything, it does not mean that it does.  Pinned certificates can prevent the scanning by the UTM and will typically fail the communication as well because of a certificate mismatch between what it knows it should see and what it does see.

     

    Google ships Chrome with some certs built in, and will always use them.  Whether this symantec cert is or is not included, I don't know.

  • I have updated to 9.5, re-issued, and deployed the UTM root certificate.  Looking at the certificate I am seeing for the SAN is IP Address=127.0.0.1 is this correct?  The old certificate had the same thing.

    Best Regards,

     Jim

  • Jim, that's perfectly normal. What matters is the SAN on the certificates generated by the UTM on specific sites e.g www.google.com. These are the ones that should now be correct.

Reply Children