Issue metadata
Sign in to add a comment
|
NET::ERR_CERT_INVALID error on certain websites while others work just fine. No issues connecting to same sites when using Microsoft Edge. Have tried all suggested fixes to no avail and asked Google forum. Attaching log file as requested by a Google Forum member.
Reported by
tzelin....@gmail.com,
Aug 28 2017
|
||||||||||||||||||||||
Issue descriptionChrome Version : <Copy from: 'about:version'> URLs (if applicable) : https://www.avis.com/en/reservation/make-reservation, https://www.agoda.com/, https://www.budget.com/, https://www.hertz.com/p/car-rental/united-states, https://line.me/en-US/ Other browsers tested: Chrome (errors), Microsoft Edge (no errors) Add OK or FAIL after other browsers where you have tested this issue: Safari: PASS/FAIL (Version) Firefox: PASS/FAIL (Version) IE: PASS/FAIL (Version) PASS (Microsoft Edge, Windows 10) What steps will reproduce the problem? (1) Trying to access any of the websites listed above using Chrome (i'm sure there are others but these were the ones I tried and couldn't access) (2) (3) What is the expected result? What happens instead? Please provide any additional information below. Attach a screenshot if possible. For graphics-related bugs, please copy/paste the contents of the about:gpu page at the end of this report.
,
Aug 28 2017
The certificate in question is https://crt.sh/?id=149467118&opt=cablint , which shows that the CA generated an invalid & mismatched signature that doesn't conform to the specifications. The proper certificate the server should be sending is https://crt.sh/?id=3667667&opt=cablint (which is the equivalent, correct certificate) Looking at the AIA URL - http://gn.symcb.com/gn.crt - it's serving the proper certificate, so it's unclear how the invalid certificate was obtained by the server (which is sending it), or why AIA chasing of the leaf isn't finding it. Matt: I think this issue would be with https://cs.chromium.org/chromium/src/net/cert/cert_verify_proc_win.cc?rcl=3cf2a4d2c576b1ee469247d24f4e1b3a873e1bc2&l=857 failing to verify the cert if one of the chain certs fails to parse, because of https://cs.chromium.org/chromium/src/net/cert/x509_util_win.cc?rcl=3cf2a4d2c576b1ee469247d24f4e1b3a873e1bc2&l=84 causing early failure, rather than the old behaviour in https://chromium.googlesource.com/chromium/src/+/2fe429a914dccf9bc3b8901c8a0d93f445f3a3b6%5E%21/#F10 that would have ignored intermediates that fail to parse.
,
Aug 28 2017
Actually, I assigned to Matt but it's possible this is related to Issue 690821 , potentially caused by https://cs.chromium.org/chromium/src/net/cert/cert_verify_proc.cc?rcl=180b50c651973bbab37552adb4215fd83f3b437f&l=553 in post-processing. It's possible that the OS has cached a junk chain; as a workaround, can you try the following steps: 1) Clear your Chrome cache (Per https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DDesktop&hl=en , you only need to clear "Cached images and files" and can safely uncheck the others) 2) Load the "Certificates" MMC Snap-in ( see https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in ) for both your current user account and the computer user account, and under "Intermediate Certification Authorities -> Certificates" see if you have a certificate called "GeoTrust SSL CA - G3". If so, right click it, and click "Delete" Note, only do Step #2 exactly as written ("GeoTrust SSL CA - G3") -and not any other certificates (including those that say "GeoTrust").
,
Sep 1 2017
The post-processing of signature algorithms done by InspectSignatureAlgorithmsInChain() is quite permissive, and DOES allow mismatched/wrong encodings for sha256WithRSAEncryption [1]. So that should not be to blame here. I confirmed that the test passes on GeoTrust SSL CA - G3 using ToT. [1] https://cs.chromium.org/chromium/src/net/cert/internal/signature_algorithm.cc?gsn=Create&l=266 https://cs.chromium.org/chromium/src/net/cert/internal/signature_algorithm.cc?rcl=2130d27a1e177d73ce3be233fd7c25865515ff9b&l=694
,
Sep 9 2017
Incidentally, I don't know if this is from the same user (both have last name Liu), but https://productforums.google.com/d/msg/chrome/vXwSJnkOlUM/KQVvmNRfBQAJ is a report of a failure to load Avis and Budget wherein the intermediate shown in the error page is corrupt by one byte.
,
Sep 14 2017
tzelin... @: Could you try the experiment requested in c#3 and post the results to this bug? We need your input to make progress on this bug.
,
Sep 25 2017
tzelin... @: We need your feedback to make progress, or we'll have to close the bug. Can you reply to comment #3?
,
Oct 11 2017
Archiving bug due to lack of response from the bug creator. tzelin.liu@, please create a new bug if you have further updates. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by zhongyi@chromium.org
, Aug 28 2017Components: Internals>Network>Certificate Internals>Network>SSL
Looking at the NetLogs, it seems those we received SSL certificates from the server, but when verify the cert, it's having issues. There might be mismatched signature algorithms or unknown signature algorithms in the certificate chain. +rsleevi@: Ryan, thoughts? NetLog event #19078 --> cert_status = 132 (AUTHORITY_INVALID | INVALID) --> common_name_fallback_used = false --> has_md2 = false --> has_md4 = false --> has_md5 = false --> is_issued_by_additional_trust_anchor = false --> is_issued_by_known_root = true --> public_key_hashes = ["sha1/HdCTXgIGnES+uqW6vH8+o1dHHF4=","sha256/YW5Bm3XJLiVMrt0gv0zfBy6eb0LS6nHNc4Zfb79qTbA=","sha1//KDE76PP0DQBDcTnMFBv+efp4eg=","sha256/PbNCVpVasMJxps3IqFfLTRKkVnRCLrTlZVc5kspqlkw=","sha1/wHqYaI2J+6sFZAwRfap9ZbjKzE4=","sha256/h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU="]