Issue metadata
Sign in to add a comment
|
ERR_CERT_VALIDITY_TOO_LONG with wildcard certificate since Chrome 66
Reported by
san...@goudswaard.nl,
Apr 20 2018
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Example URL:
An internal URL listed in the certificate
Steps to reproduce the problem:
1. Connect to (internal) server with an external wildcard certificate
2. Observe error message
What is the expected behavior?
Connect to the server without warning, like in Chrome 65
What went wrong?
t=83706 [st=45] +CERT_VERIFIER_REQUEST [dt=7]
t=83706 [st=45] CERT_VERIFIER_REQUEST_BOUND_TO_JOB
--> source_dependency = 3189 (CERT_VERIFIER_JOB)
t=83713 [st=52] -CERT_VERIFIER_REQUEST
t=83713 [st=52] -SSL_CONNECT
--> net_error = -213 (ERR_CERT_VALIDITY_TOO_LONG)
Did this work before? Yes 65
Chrome version: 66.0.3359.117 Channel: stable
OS Version: 10.0
Flash Version:
- Certificate is valid from March 2018 to March 2021
- No SHA-1 certificate in use
,
Apr 20 2018
Thanks for filing this report. In this case, the CA has violated the Baseline Requirements, as updated by CA/Browser Forum Ballot 193. The maximum validity period for certificates issued on or after 1 March 2018 is 825 days. This certificate was issued 'exactly' on 1 March 2018 00:00:00 UTC, and it appears this CA issued for three years, rather than the 825 days required. You can see and participate in the discussion at https://groups.google.com/d/msg/mozilla.dev.security.policy/-o2iN4GQbGY/KmErqpFDCAAJ , which also has the CA participating. Chrome's policy is that certificates issued on or after 1 March 2018, as judged by the notBefore period, will not be accepted if they are greater than 825 days. The CA can replace the certificate for you with one that conforms to these requirements. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by csharrison@chromium.org
, Apr 20 2018