Forum Discussion

Copper Contributor

Dec 09, 2019

Dev build v80.0.345.0 cert validation fails with Zscaler ZApp

Since the update 80.0.345.0, I'm having lots of sites are failing to open due to an invalid certificate. If the site is using HSTS click through is prevented. We're using Zscaler and this seems t...

Copper Contributor

Dec 16, 2019

Looks like this is a Chromium 80 issue, Google Chrome dev 80.0.3987.7 is also affected.

jpellois
Copper Contributor
Dec 19, 2019
Edward Haynes
answer from Zscaler zupport :
"
We are aware of that issue. There is a ticket opened internally for that (BUG-67731).

Certificate related issues seem to be only happening with Zscaler APP and Explicit Proxy mode (Dedicated Port, PAC file). When Client Hello is fragmented, we are not able to get the SNI from client hello.
Hence our outbound connection does not have SNI, this causing issues with certificate.

Everything works fine with transparent forwarding methods (IPSEC/GRE Tunnel).

Can you please get in contact with Microsoft and Google to get that checked?

Temporary solution for users who are using browsers based on Chromium 80 is adding affected URLs to SSL Inspection bypass list.
"
- Edward Haynes
  Copper Contributor
  Dec 23, 2019
  jpellois Thanks for the update.
  
  Geoff165 Zscaler have given me much the same feedback, basically that they are working on a fix and to wait 🤷‍:male_sign:
Geoff165
Copper Contributor
Dec 19, 2019
Edward Haynes

Hi Edward, have ZScaler provided any guidance yet? I held back until this weeks Insider release hoping it would be addressed by MS.

My gues is that the first certificate encountered is the one that ZScaler brokers and because the address doesn't match any named n the certificate HSTS says no.

Share

Resources