Forum Discussion
Dev build v80.0.345.0 cert validation fails with Zscaler ZApp
It seemed like this problem had been fixed for a little while, but I am again unable to access HTTPS sites with Edge Dev 82.0.432.3 and Zscaler 1.5.2.7.
Anyone else?
- Edward HaynesFeb 27, 2020Copper Contributor
danielschmidt Yes, I can confirm it's stopped working again with v82 (82.0.432.3) for us as well.
- Steven NewcombFeb 27, 2020Copper Contributor
Edward Haynes Same for us. It's broken.
- Eric_LawrenceFeb 27, 2020Microsoft
The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.
The upstream issue can be found here: https://crbug.com/1028602As seen earlier in this thread, there is a known bug in ZScaler here, for which you will need to install their latest update.
You can verify if that ZScaler's bug is the root cause by closing all Edge instances and hitting Win+R, then running
msedge.exe --disable-features=PostQuantumCECPQ2
If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to see the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.
In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.