Untrusted Issuer with Trusted CA
Reported by
gbeev...@gmail.com,
Jul 3 2017
|
|||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Example URL: Steps to reproduce the problem: More work than it is worth to do from scratch however can email to a dev a certificate for a ip address in the IETF Private Range valid for 2 weeks that they can test against. What is the expected behavior? Certificate Should be Trusted What went wrong? I have a custom Certificate Authority setup to issue certificates for devices running my software. The devices are issued certificates and users can install our CA so that they don't get errors for our certs (FWIW Issuance Policy here https://eleboards.freshdesk.com/support/solutions/articles/5000010659-eleboards-certification-policy) On Mac OS this now breaks in chrome but still works in safari. The CA is trusted on the mac in Login. This works fine in Linux and windows just a problem with Mac OS in sierra has worked in the past. Does it occur on multiple sites: N/A Is it a problem with a plugin? No Did this work before? Yes Does this work in other browsers? Yes Chrome version: 59.0.3071.115 Channel: stable OS Version: OS X 10.12.5 Flash Version:
,
Jul 5 2017
,
Jul 5 2017
Also please attach a net-internals log per these instructions. Thanks! https://dev.chromium.org/for-testers/providing-network-details
,
Jul 5 2017
Thanks for the replies. See attached for the net-internals Also that cert does not have a subject alt name set. Will need to update my code to generate one for that cert. However there is a certificate that is already generated for an older version of safari that has a subject alt name of 192.168.1.43 and IP:192.168.1.43 in it that fixes the subject alt name error but shows the same message this certificate signed by an untrusted issuer and shows in web inspector "ERR_CERT_COMMON_NAME_INVALID" as it did with the previous cert(also doing this on windows).
,
Jul 5 2017
Thank you for providing more feedback. Adding requester "rsesek@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 6 2017
It appears your certificate was not appropriately generated. Could you explain how you generated it? In particular, the certificate you have has a DNS name of "192.168.1.43" (which Safari incorrectly accepts - a known security issue - https://nameconstraints.bettertls.com/#!view?results=safari_602_osx10 ), and another DNS name of "IP:192.168.1.43" (which is improperly formed, and likely an OpenSSL configuration error) Understanding how you're generating the certificate will appropriately help determine how best to correctly generate a certificate that will work :) For other triagers: This is not a bug in Chrome. It is correctly rejecting the bad certificate.
,
Jul 6 2017
Thanks have got it working now by using IP.1 rather than DNS.1. Thanks for the help.
,
Jul 6 2017
Thank you for providing more feedback. Adding requester "rsleevi@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 6 2017
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by rsesek@chromium.org
, Jul 5 2017