New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 773484 link

Starred by 1 user
Status: Duplicate
Merged: issue 504499
Owner:
lgar...@chromium.org
Last visit > 30 days ago
Closed: Oct 2017
Cc:
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Feature
Team-Security-UX



Sign in to add a comment

Developer Tools Security Panel does not explain why SSL cert is invalid

Reported by ronin2...@gmail.com, Oct 10 2017 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. Visit Canon Printer embedded web server
2. Receive ERR_SSL_SERVER_CERT_BAD_FORMAT error
3. Open Dev tools --> Security, Chrome claims that the server certificate is valid, trusted, and secure.

What is the expected behavior?
If there is an issue with the SSL certificate, Chrome should detail what that issue is.

What went wrong?
Chrome's dev tools claim that the certificate is fine, but provide no mechanism for viewing the certificate or determining why the browser flags it as a "bad format".

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 27.0 r0
2017-10-10 18_02_23-137.187.104.110.png
24.6 KB View Download

Comment 1 by elawrence@chromium.org, Oct 11 2017

Cc: lgar...@chromium.org elawrence@chromium.org
Components: Platform>DevTools>Security
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Needs-Feedback Type-Feature
Status: Untriaged (was: Unconfirmed)
Summary: Developer Tools Security Panel does not explain why SSL cert is invalid (was: Dev tools --> Security does not explain why SSL cert is invalid)
There are multiple issues here.

The first is the ERR_SSL_SERVER_CERT_BAD_FORMAT error. You can attach a Network log ( see https://dev.chromium.org/for-testers/providing-network-details ) so we can confirm, but this is almost certainly a problem whereby your HTTPS traffic is being intercepted by a buggy interceptor that is generating V1 certificates with V3 extensions. This is a known problem recently fixed by several HTTPS interception packages (e.g. Mobicip) and also happens for some developer's certificates generated with improper OpenSSL directives.

The second problem, not showing the certificate, is caused by the fact that Chrome rejects the certificate, such that the developer tools don't have anything to show.

The third problem, saying positive things about the security of the page even though there's no certificate, is effectively a duplicate of Issue 504499.

Can you please attach the network log?

Comment 2 by alph@chromium.org, Oct 16 2017

Cc: -lgar...@chromium.org
Owner: lgar...@chromium.org
Lucas, can you please take care of it.

Comment 3 by alph@chromium.org, Oct 16 2017

Status: Assigned (was: Untriaged)

Comment 4 by lgar...@chromium.org, Oct 16 2017

Mergedinto: 504499
Status: Duplicate (was: Assigned)

Sign in to add a comment