New issue
Advanced search Search tips

Issue 706398 link

Starred by 5 users
Status: Duplicate
Merged: issue 700595
Owner: ----
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Securly's HTTPS MITM generates certificates lacking SubjectAltNames, blocked by Chrome 58+

Reported by bgib...@htps.us, Mar 29 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36

Steps to reproduce the problem:
1. Use a web filtering solution that MiTMs the SSL cert (in this case Securly)
2. Use Chrome 56,57 successfully
3. Install version 58 of Chrome (Beta)
4. Visit SSL Site (gmail and yahoo shown in sample video)

What is the expected behavior?
Installed trusted root certificate produces no error when used for MiTM SSL inspection.

What went wrong?
Chrome is reporting connection as not private

Did this work before? Yes 57

Chrome version: 58.0.3029.33 beta (64-bit)  Channel: beta
OS Version: Win 10 1607 Build 14393.693
Flash Version:

Comment 3 by elawrence@chromium.org, Mar 29 2017

Components: Internals>Network>Certificate
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: Securly's Wildcard SSL Cert Not Trusted (was: Wildcard SSL Cert Not Trusted)
The most likely explanation is that this is a bug in the certificate generation logic in Securly, such that they're not setting the SubjectAltName field properly. (For instance, they fail to set it in their self-signed root)

See  issue 308330  and https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/

Which version of Securly do you have installed? Have you installed all updates to the application?

Comment 4 by elawrence@chromium.org, Mar 29 2017 

To confirm that this is the problem, on the HTTPS blocking page, please click the text "NET::ERR_CERT_COMMON_NAME_INVALID". Copy all of the text that appears into a reply comment of this bug.

Thanks!

I sent Securly a tweet and filed a support request at https://support.securly.com/hc/en-us/requests/new.

Comment 5 by bgib...@htps.us, Mar 29 2017 

Subject: mail.google.com
Issuer: *.securly.com
Expires on: Jan 30, 2020
Current date: Mar 29, 2017
PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIICZDCCAUwCCQD5QJ83Tc+KDTANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJV
UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UECgwNU2VjdXJseSwgSW5jLjEW
MBQGA1UEAwwNKi5zZWN1cmx5LmNvbTAeFw0xNzAzMjcxMzMwMzhaFw0yMDAxMzAy
MzI5MzlaMBoxGDAWBgNVBAMMD21haWwuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAyBLa8dRSd7/AmWNqwlXjG51Cgs4UCr0t9L8aapPceUmY
vARAmxTPG948EFRmmNPB+ILcJABrw62P2+1PMxG1NLFyureQ7I7SLToMYppKFHD5
0dUieLgSiP1TUNkHmv9M7JPphAueoiVOpCHwr4WYBDv45V9DHSYvAecY6Tzuqp0C
AwEAATANBgkqhkiG9w0BAQsFAAOCAQEApu05OT4kZfSnlMLQsdsQ7D2GFr1KMYlW
2b8S6426GG5Q5gSfKd1IivJJe3wwcfkue8NjD0SFUl2GI7Wk+bSiudGqpiPRGeBO
M0Aqlw9zYWEX0jAb/ySNfvYLYQ68gbKhPA9HBEO6SAnsQAk95yvoYlvpf/C3N9ty
MeHh4zSv0iMM0QOGhgUY5S3PwquRkQUJgK1x7K98V66N/Y0EqqTT6O5oMGee2b3n
Xd47ENSfzNknJl3H/yuV/1t+xquMcGRX2jWYHAwb6YhbTvJlY//HaMR90yLWFrdA
Nvf4IBGIn0kcueS/WghRpJFrJLxPUQxkfHaWuL+RlrAlzYRRxRw9rA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIJAOu3HNNoWOxSMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQKDA1TZWN1cmx5LCBJ
bmMuMRYwFAYDVQQDDA0qLnNlY3VybHkuY29tMB4XDTE1MDEyNjIzMjkzOVoXDTIw
MDEzMDIzMjkzOVowUjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
FjAUBgNVBAoMDVNlY3VybHksIEluYy4xFjAUBgNVBAMMDSouc2VjdXJseS5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1NJCxT8I0Muf3bDGeBXo2
X0t7z4ZziKJmJUpOaeR48b+343bKvlg20o097GJopSnvi9rZZopzWVo3oVIkgs96
m4DpQE+ShyAXNbnjQuuYb4vjGFJ130pZn9O3wlT2WLJhqn3ojYv49eKzXG3IuqYy
AxyHgURoGB8hEjgxWkGA8k5/BpxmE1RTXQCl5X+hBIB/kQNzMzoKM2jI5nwhU8kj
5o/D4X1a1RmfNl08u0JsMw+dFG9BzletiXdk8QaNnRg4KoSDb1Pl2RRxEAxzm/pY
72rzRWh/AVjd5qbP3Rs7VDX1MQYVGol5ThEVH6cQH+xwJyZar3c4SqnCxSV/oAuv
AgMBAAGjUDBOMB0GA1UdDgQWBBQW39BDC8Drcbo7+nmhvKMr8uPUdTAfBgNVHSME
GDAWgBQW39BDC8Drcbo7+nmhvKMr8uPUdTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCZ1xAuCLrObR08XLr0fXbvazp+IZidemjb82z/eWeqdxmN5hCU
AScMhszPlc8ySB66A5Uf8EoWCbuebmpf9LX5b4d88Ka6Xs2Ki6LO6SWkt6nNVwRJ
7oFHJRKvLw+GDbR37YVxRkvKPZxeklc0X6dVmgUSGXrIVy2WSd5oIySKygH6K/Th
8RvMWitOgXrIc5Lw8yYHgQvx8V2kU0axU/AjY28kRpi5iKfF251HpJuSrTD431GR
Qc1VnYid++ge80JJX+fQuw+DUi9s4DIbNiPczP6leh+DYpc0gcoHmaO8SXHU/jFG
OonUU7nUehYOAILUkHN87zHrZ5N99QWi3sRi
-----END CERTIFICATE-----

Comment 6 by elawrence@chromium.org, Mar 29 2017

Mergedinto: 700595
Status: Duplicate (was: Unconfirmed)
Summary: Securly's HTTPS MITM generates certificates lacking SubjectAltNames, blocked by Chrome 58+ (was: Securly's Wildcard SSL Cert Not Trusted )
Thanks, bgibson! Yes, this is a problem in the certificates that Securly is generating. Your best bet is to update to whatever their latest version is, and if the problem still exists, reach out to their support (as they probably are more interested in bugs from paying customers than from me).

Comment 7 by bgib...@htps.us, Mar 29 2017 

Thank you too @elawre!
I have updated the Securly support team.

Comment 8 by elawrence@chromium.org, Apr 5 2017 

Securly reports: "this is on the dev teams radar and they will be addressing it soon."

Comment 9 by elawrence@chromium.org, Apr 14 2017 

Securly reports: "This has been fixed."

Comment 10 by 22...@msd.k12.wi.us, Oct 27 2017 

I have been trying to read on wattpad but it has been blocked. Is there any way to unblock it without talking to my administrator

Comment 11 by elawrence@chromium.org, Oct 27 2017 

Re #10: You haven't provided enough information to answer the question, but my guess is that you're saying that your school uses Securly and they've configured Securly to block "Wattpad". If that's the case, the Chrome team cannot help, and yes, it's probably the case that you will need to talk to the administrator (or use a different device where Securly isn't blocking traffic).

Sign in to add a comment