Got similar report in forum https://productforums.google.com/forum/#!topic/chrome-admins/ky2oARBji0w;context-place=forum/chrome-admins

Chrome version : Chrome Version 61.0.3163.91
Internet Explorer works fine, only chrome throws this error "ERR_SSL_SERVER_CERT_BAD_FORMAT"
clearing (Hosted app data, Content licenses) by visiting (chrome://settings/clearBrowserData) didn't help.

Also got feedback from user saying.

No Proxy set on machine and they turned off Real-time Protection and added Chrome.exe to excluded processes within Microsoft security essentials.

I think this isn't a regression I see similar behavior on M60(60.0.3112.113) and M61(61.0.3163.91) as well on Windows, Mac and Linux.

mattm@ can you please give us some insights.

pbommana: Are you saying you can reproduce a ERR_SSL_SERVER_CERT_BAD_FORMAT when loading google.com?

In any case, this is almost certainly caused by something intercepting the connection, either something local like antivirus or malware, or something upstream like a corporate interception device.

To debug, we'd need a netlog capturing the problem, as described here: https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details

Sorry my bad, This wasn't seen on Google.com but this was the test url which I have used "http://testssl.asipsante.fr" and below are the steps :


1. Visti http://testssl.asipsante.fr 
2. click on the https link "https://testssl.asipsante.fr" 

Observed behavior :
This site can’t provide a secure connection
testssl.asipsante.fr didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT


Note : Safari I see the certificate popup.

1. ERR_BAD_SSL_CLIENT_AUTH_CERT and ERR_SSL_SERVER_CERT_BAD_FORMAT are different, unrelated, errors.
2. Even if it was the same error, just finding some other site on the internet that also has a bad cert error wouldn't really help debug this issue.

(Just getting a ERR_BAD_SSL_CLIENT_AUTH_CERT error isn't itself a problem, but you could file a separate bug about the behavior differing from safari if you want someone to investigate that)

On Windows, this can happen if the platform CryptoAPI is broken in some way.

int SSLClientSocketImpl::DoVerifyCert(int result) {
  server_cert_ = x509_util::CreateX509CertificateFromBuffers(
      SSL_get0_peer_certificates(ssl_.get()));

  // OpenSSL decoded the certificate, but the platform certificate
  // implementation could not. This is treated as a fatal SSL-level protocol
  // error rather than a certificate error. See  https://crbug.com/91341 .
  if (!server_cert_)
    return ERR_SSL_SERVER_CERT_BAD_FORMAT;

A user with this error for a Google property on a recent build provided the attached capture.

Deleted: chrome-net-export-log.json 62.2 KB

chrome-net-export-log.json 62.2 KB View Download

The cert from the log in #9 is indeed some sort of MITM cert, and it is invalid. (It is a version 1 certificate but contains extensions. Only version 3 certificates can contain extensions.)

Deleted: 767072.pem 3.8 KB

767072.pem 3.8 KB Download

Oh, and that comment is a bit misleading now. With use_byte_certs, creating an X509Certificate object doesn't actually touch the platform certificate implementation anymore. I guess I should update that comment.

Closing since we never got a netlog from the original reporter. (If you're still seeing this issue, feel free to file a new bug including a netlog as described in https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details).