Forum Discussion

Edward Haynes's avatar
Edward Haynes
Copper Contributor
Dec 09, 2019

Dev build v80.0.345.0 cert validation fails with Zscaler ZApp

Since the update 80.0.345.0, I'm having lots of sites are failing to open due to an invalid certificate.  If the site is using HSTS click through is prevented.


We're using Zscaler and this seems to be an incompatibility with Zscaler's ZApp (see screenshots).
If I disable Zscaler it works ok and other browsers (Brave, Firefox, IE) work ok, this is only affecting Edge Dev.

An example is https://microsoftedgeinsider.com

 

It seems that ZApp (performing SSL inspection) is getting confused about the requested FQDN and is presenting an incorrect certificate.

    • Edward Haynes's avatar
      Edward Haynes
      Copper Contributor

      Geoff165 Ah ok, interesting.  I'm opening a support ticket with Zscaler as well so will pass this on, thanks!

  • Geoff165's avatar
    Geoff165
    Copper Contributor

    Edward Haynes I have had similar experience on this site. I found mention that Chrome was enforcing HSTS in the same way. From observation the address in the URL bar is not matching the Subject or any of the SANS. I need to dig again I believe the issue is to do with the Certificate Template used for the proxy.

  • Edward Haynes's avatar
    Edward Haynes
    Copper Contributor
    Looks like this is a Chromium 80 issue, Google Chrome dev 80.0.3987.7 is also affected.
    • jpellois's avatar
      jpellois
      Copper Contributor

      Edward Haynes 

      answer from Zscaler zupport :

      "

      We are aware of that issue. There is a ticket opened internally for that (BUG-67731).

      Certificate related issues seem to be only happening with Zscaler APP and Explicit Proxy mode (Dedicated Port, PAC file). When Client Hello is fragmented, we are not able to get the SNI from client hello.
      Hence our outbound connection does not have SNI, this causing issues with certificate.

      Everything works fine with transparent forwarding methods (IPSEC/GRE Tunnel).

      Can you please get in contact with Microsoft and Google to get that checked?

      Temporary solution for users who are using browsers based on Chromium 80 is adding affected URLs to SSL Inspection bypass list.

      "

      • Edward Haynes's avatar
        Edward Haynes
        Copper Contributor

        jpellois Thanks for the update.

         

        Geoff165 Zscaler have given me much the same feedback, basically that they are working on a fix and to wait 🤷‍:male_sign: 

    • Geoff165's avatar
      Geoff165
      Copper Contributor

      Edward Haynes 

       

      Hi Edward, have ZScaler provided any guidance yet? I held back until this weeks Insider release hoping it would be addressed by MS. 

       

      My gues is that the first certificate encountered is the one that ZScaler brokers and because the address doesn't match any named n the certificate HSTS says no.

  • Edward Haynes's avatar
    Edward Haynes
    Copper Contributor

    Just had an update from Zscaler support on this, the fix is estimated to be pushed for 5.7 version of Zscaler on 17th for ZS3 and 24th for the rest of the clouds.

    • Steven Newcomb's avatar
      Steven Newcomb
      Copper Contributor
      The new Dev release appears to have fixed this for us. I'm able to access HTTPS sites without any issue now.
      • danielschmidt's avatar
        danielschmidt
        Copper Contributor

        It seemed like this problem had been fixed for a little while, but I am again unable to access HTTPS sites with Edge Dev 82.0.432.3 and Zscaler 1.5.2.7.

        Anyone else?

Resources