Certificate Error page for Name Mismatch should not show SubjectCN |
|||||||||
Issue descriptionChrome Version: 59.0.3046 What steps will reproduce the problem? (1) Visit a site with a certificate containing only a CN and not a SubjectAltName Expect: Meaningful error message Actual: "This server could not prove that it is foo.example.com; its security certificate is from foo.example.com." Problem: We deprecated SubjectCN in Issue 308330 but this error message needs an update. https://cs.chromium.org/chromium/src/components/ssl_errors/error_info.cc?type=cs&q=IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS&l=35 With regard to ErrorInfo::CreateError, my proposal would be to exclude the SubjectCN from the list of names (either by dropping it from GetDNSNames entirely, or by changing that function to have a flag that prevents fallback). We could keep the existing SubjectCN matching within the CreateError function itself (under the theory that if a cert has both a SubjectCN and a matching SubjectAltName, that is the "primary" DNSName for the certificate). If you agree that makes sense, I can fork a bug.
,
Mar 22 2017
sleevi@, did you want me to take a crack at this one?
,
Mar 22 2017
Yes, by all means :)
,
Mar 27 2017
,
Apr 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c7484f52b8ceb68e4334cad505e894aeef6cba83 commit c7484f52b8ceb68e4334cad505e894aeef6cba83 Author: elawrence <elawrence@chromium.org> Date: Wed Apr 05 21:46:42 2017 Update SSL error handling code to account for Subject CN deprecation In Issue 308330 , Chrome deprecated the use of the Subject CN field in certificate hostname validation. However, the certificate error interstitial and error classification logic were left unchanged, leading to misleading error messages and doomed error recovery attempts in the event that a certificate lacked SubjectAltNames. In this change, Chrome's Certificate Error interstitial and error recovery will no longer fallback to the certificate's Subject CN field when evaluating the certificate's valid dns names. BUG= 703614 Review-Url: https://codereview.chromium.org/2777383002 Cr-Commit-Position: refs/heads/master@{#462230} [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/chrome/browser/ssl/ssl_error_handler.cc [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/chrome/browser/ssl/ssl_error_handler.h [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/chrome/browser/ssl/ssl_error_handler_unittest.cc [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/components/ssl_errors/error_classification.cc [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/components/ssl_errors/error_classification.h [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/components/ssl_errors/error_classification_unittest.cc [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/components/ssl_errors/error_info.cc [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/net/BUILD.gn [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/net/cert/x509_certificate.h [add] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/net/data/ssl/certificates/subjectAltName_www_example_com.pem [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/net/data/ssl/scripts/ee.cnf [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/net/data/ssl/scripts/generate-test-certs.sh [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/net/test/test_certificate_data.h [modify] https://crrev.com/c7484f52b8ceb68e4334cad505e894aeef6cba83/tools/metrics/histograms/histograms.xml
,
Apr 6 2017
commit c7484f52b8ceb68e4334cad505e894aeef6cba83 was: initially in 59.0.3064.0
,
Apr 6 2017
It may be too late for M-58, but adding label to allow the triage team to weigh in.
,
Apr 6 2017
The SAN cert requirement deploys in M58! This would be very important to get merged into M58.
,
Apr 6 2017
M58 Stable is approaching soon! Please confirm whether the fix is verified in canary. If yes, request a merge to M58. Also add applicable OS too.
,
Apr 6 2017
Yes, I've verified this in Canary; do I need to do more than add the "Merge-Request-58" label to request a merge?
,
Apr 6 2017
,
Apr 6 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30 commit 5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30 Author: Eric Lawrence <elawrence@chromium.org> Date: Thu Apr 06 20:12:16 2017 Update SSL error handling code to account for Subject CN deprecation In Issue 308330 , Chrome deprecated the use of the Subject CN field in certificate hostname validation. However, the certificate error interstitial and error classification logic were left unchanged, leading to misleading error messages and doomed error recovery attempts in the event that a certificate lacked SubjectAltNames. In this change, Chrome's Certificate Error interstitial and error recovery will no longer fallback to the certificate's Subject CN field when evaluating the certificate's valid dns names. BUG= 703614 Review-Url: https://codereview.chromium.org/2777383002 Cr-Commit-Position: refs/heads/master@{#462230} (cherry picked from commit c7484f52b8ceb68e4334cad505e894aeef6cba83) Review-Url: https://codereview.chromium.org/2804883005 . Cr-Commit-Position: refs/branch-heads/3029@{#612} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/chrome/browser/ssl/ssl_error_handler.cc [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/chrome/browser/ssl/ssl_error_handler.h [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/chrome/browser/ssl/ssl_error_handler_unittest.cc [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/components/ssl_errors/error_classification.cc [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/components/ssl_errors/error_classification.h [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/components/ssl_errors/error_classification_unittest.cc [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/components/ssl_errors/error_info.cc [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/net/BUILD.gn [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/net/cert/x509_certificate.h [add] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/net/data/ssl/certificates/subjectAltName_www_example_com.pem [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/net/data/ssl/scripts/ee.cnf [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/net/data/ssl/scripts/generate-test-certs.sh [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/net/test/test_certificate_data.h [modify] https://crrev.com/5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30/tools/metrics/histograms/histograms.xml |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by elawrence@chromium.org
, Mar 21 2017