Forum Discussion
Dev build v80.0.345.0 cert validation fails with Zscaler ZApp
Since the update 80.0.345.0, I'm having lots of sites are failing to open due to an invalid certificate. If the site is using HSTS click through is prevented.
We're using Zscaler and this seems to be an incompatibility with Zscaler's ZApp (see screenshots).
If I disable Zscaler it works ok and other browsers (Brave, Firefox, IE) work ok, this is only affecting Edge Dev.
An example is https://microsoftedgeinsider.com
It seems that ZApp (performing SSL inspection) is getting confused about the requested FQDN and is presenting an incorrect certificate.
- Geoff165Copper Contributor
https://help.mulesoft.com/s/article/chrome-net-err-cert-common-name-invalid is the URL I found that suggested that the mismatch between the URL address, common name and SANs is the cause.
- Edward HaynesCopper Contributor
Geoff165 Ah ok, interesting. I'm opening a support ticket with Zscaler as well so will pass this on, thanks!
- jpelloisCopper Contributor
- Geoff165Copper Contributor
Edward Haynes I have had similar experience on this site. I found mention that Chrome was enforcing HSTS in the same way. From observation the address in the URL bar is not matching the Subject or any of the SANS. I need to dig again I believe the issue is to do with the Certificate Template used for the proxy.
- Edward HaynesCopper ContributorLooks like this is a Chromium 80 issue, Google Chrome dev 80.0.3987.7 is also affected.
- jpelloisCopper Contributor
answer from Zscaler zupport :
"
We are aware of that issue. There is a ticket opened internally for that (BUG-67731).
Certificate related issues seem to be only happening with Zscaler APP and Explicit Proxy mode (Dedicated Port, PAC file). When Client Hello is fragmented, we are not able to get the SNI from client hello.
Hence our outbound connection does not have SNI, this causing issues with certificate.
Everything works fine with transparent forwarding methods (IPSEC/GRE Tunnel).
Can you please get in contact with Microsoft and Google to get that checked?
Temporary solution for users who are using browsers based on Chromium 80 is adding affected URLs to SSL Inspection bypass list."
- Edward HaynesCopper Contributor
- Geoff165Copper Contributor
Hi Edward, have ZScaler provided any guidance yet? I held back until this weeks Insider release hoping it would be addressed by MS.
My gues is that the first certificate encountered is the one that ZScaler brokers and because the address doesn't match any named n the certificate HSTS says no.
- Edward HaynesCopper Contributor
Just had an update from Zscaler support on this, the fix is estimated to be pushed for 5.7 version of Zscaler on 17th for ZS3 and 24th for the rest of the clouds.
- Steven NewcombCopper ContributorThe new Dev release appears to have fixed this for us. I'm able to access HTTPS sites without any issue now.
- danielschmidtCopper Contributor
It seemed like this problem had been fixed for a little while, but I am again unable to access HTTPS sites with Edge Dev 82.0.432.3 and Zscaler 1.5.2.7.
Anyone else?