Chrome Version: 59.0.3046.0
In Issue 308330 , we deprecated SubjectCN matching in certificate analysis, but the Developer Tools' Security Panel makes no note of this.
We should show a warning if the certificate lacks SubjectAltNames.
Did this in https://codereview.chromium.org/2761333002/
Given that the strings aren't translatable, is it something we may want to consider for a merge? I leave that to y'all to determine once it lands.
This bug requires manual review: There is .grd file changes and we are only 33 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)
For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Tested the issue on windows 7,Ubuntu 14.04 and Mac 10.12.3 using chrome version 58.0.3029.41 with the steps below
1.Opened the Non secure URL https://pinningtest.appspot.com/
2.Opened Security in devtools
3.Not seen the warning message as like in screen shot #7.
rsleevi@ Could you please find the attached screen shot and confirm on the expected behaviour.
Note:: The URL "https://textslashplain.com/" mentioned in screenshot opened as secure webpage.hence used another URL for testing.
Thanks,
Testing this change requires a site use a certificate with a specific problem (no SubjectAltNames); the pinningtest certificate does not have that problem.
Because public certificate authorities will not issue certificates with this problem, there's not a good public test page for this as far as I know. I do my testing by running sites through the Fiddler proxy with the legacy MakeCert generator enabled (makecert's certificates do not have SubjectAltNames). An alternative would be to stand up a local test server with a self-signed (but manually trusted) certificate that has this problem.
I've verified this fix in M59 (looks great!) but haven't looked at it in M58.
Comment 1 by elawrence@chromium.org
, Mar 21 2017