Issue metadata
Sign in to add a comment
|
Self-signed SSL certificates trusted in OS X Keychain Access no longer trusted in Chrome
Reported by
geoffrey...@gmail.com,
Mar 22 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3048.0 Safari/537.36 Steps to reproduce the problem: (Mac only) 1. Download the attached file, localhost.pem, which is a self-signed SSL certificate for https://localhost. 2. Double-click the file to open it in Keychain Access. 3. You should see a dialog box asking “Do you want to add the certificate(s) from the file “localhost.pem” to a keychain?” Set the keychain to System and click Add. 4. In the Keychain Access main window, in the left sidebar under Keychains choose System. You should see “localhost” in the list. Double-click it to open it. 5. Under Trust, next to “When using this certificate:” choose “Always Trust”. 6. Start a localhost HTTPS webserver on port 443 using this certificate. There are many ways to do this, but one way you can test is via https://github.com/indexzero/http-server: 6a. Install Node.js if you don’t have it already. 6b. npm install http-server -g 6c. Save the attached files (localhost.pem, localhost.key and index.html) into a folder. 6d. Change into that folder and run: sudo http-server -p 443 --ssl --cert localhost.pem --key localhost.key 7. Go to https://localhost in Chrome Canary (59.0.3048.0). The certificate is untrusted and “Not Secure” appears in red to the left of the address bar. Go to https://localhost in regular Chrome (57.0.2987.110). The certificate is trusted and “Secure” appears in green to the left of the address bar. What is the expected behavior? The certificate is trusted and “Secure” appears in green to the left of the address bar. What went wrong? Sometime in a Canary release in the last month, Chrome Canary stopped honoring SSL certificates explicitly trusted via OS X Keychain Access. Did this work before? Yes 57.0.2987.110 and probably later Does this work in other browsers? Yes Chrome version: 59.0.3048.0 Channel: canary OS Version: OS X 10.11.6 Flash Version:
,
Mar 23 2017
,
Mar 23 2017
Unable to test this issue on Mac 10.12.3, to install Node.js, it requires pre-requisites software from Apple store, to which we don't have valid credentials, Adding "TE-NeedsTriageFromMTV" for further triage.
,
Mar 23 2017
,
Mar 23 2017
The certificate uses a SHA-1 signature and has no subjectAltName extension. See issue 700595 and https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html.
,
Mar 28 2017
I managed to solve this via: openssl req -config openssl.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout localhost.key -days 3650 -out localhost.pem -subj "/C=OZ/ST=Land of Oz/L=Emerald City/O=No Place Like Localhost/OU=Localhost/CN=Localhost" using the attached openssl.conf file. Once the above command generates localhost.key and localhost.pem (or you can just use the attached ones instead of generating your own), follow the instructions to trust it in Keychain Access: 1. Double-click the file to open it in Keychain Access. 2. You should see a dialog box asking “Do you want to add the certificate(s) from the file “localhost.pem” to a keychain?” Set the keychain to System and click Add. 3. In the Keychain Access main window, in the left sidebar under Keychains choose System. You should see “localhost” in the list. Double-click it to open it. 4. Under Trust, next to “When using this certificate:” choose “Always Trust”. Then if you run sudo http-server -p 443 –ssl –cert localhost.pem –key localhost.key Chrome 59.0.3054.0 says “Secure”.
,
Apr 1 2017
@Comment #6: Could you explain how to modify your instructions if we are using an intranet site as the server with a self-signed cert? Our server has a DNS that is resolvable but not reachable from the public internet. The server configuration requires a .key and a .crt file to serve https (MAMP Pro). Also, trying to import a .pem file per your instructions as a Certificate Authority under ChromeOS will error saying "Not a Certificate Authority". This used to work to generate the MAMP cert/request/key used to configure MAMP and import into ChromeOS before m58: 1) openssl genrsa -out devcom.key 4096 2) openssl req -out devcom.csr -key devcom.key -new -sha256 3) openssl req -x509 -sha256 -nodes -days 1826 -newkey rsa:2048 -keyout devcom.key -out devcom.crt However, I've been trying something like this (modified instructions) to no avail: 1) openssl genrsa -out dev.key 4096 2) openssl req -config openssl.conf -subj "/C=ZO/ST=Zero/L=Villeville/O=devcom/OU=devcom/CN=devcom" -out devcom.csr -key devcom.key -new -sha256 3) openssl req -config openssl.conf -subj "/C=ZO/ST=Zero/L=Villeville/O=devcom/OU=devcom/CN=devcom" -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout devcom.req.key -out devcom.cert.pem I don't see how to tell ChromeOS that the cert's I'm generating are from a valid CA. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ajha@chromium.org
, Mar 23 2017