Forum Discussion

Edward Haynes's avatar
Edward Haynes
Copper Contributor
Dec 09, 2019

Dev build v80.0.345.0 cert validation fails with Zscaler ZApp

Since the update 80.0.345.0, I'm having lots of sites are failing to open due to an invalid certificate.  If the site is using HSTS click through is prevented. We're using Zscaler and this seems t...
Certificates
Eric_Lawrence's avatar
Eric_Lawrence
Icon for Microsoft rankMicrosoft
Feb 27, 2020

Steven Newcomb Edward Haynes 

 

The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.


The upstream issue can be found here: https://crbug.com/1028602

As seen earlier in this thread, there is a known bug in ZScaler here, for which you will need to install their latest update.

You can verify if that ZScaler's bug is the root cause by closing all Edge instances and hitting Win+R, then running


msedge.exe --disable-features=PostQuantumCECPQ2


If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to see the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.


In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.

 

Geoff165's avatar
Geoff165
Copper Contributor
Feb 27, 2020

Eric_Lawrence @Steven Newcomb @Edward Haynes 

 

Hi Guys,

 

we do not run the ZScaler app. Tried it on our iDevices and got lots of whining about battery life and then found that it could not competently switch between IPv4 and IPv6 networks.

 

So we run some on-prem vZens to allow for IP pinning to our gateway for some vendor licensing and intra-government traffic. The 82 engine manifests as gateway timeouts for any TLS site rather than declaring it unsafe.

 

Looking forward to seeing how long it takes ZScaler to react to this update.

 

Geoff

  • Geoff165's avatar
    Geoff165
    Copper Contributor
    Feb 27, 2020

    Eric_Lawrence 

     

    Hi Eric,

     

    to be honest I had not tried until you asked. Set up a shortcut on my desktop and away I go, a functional browser again.

     

    Geoff

  • Eric_Lawrence's avatar
    Eric_Lawrence
    Icon for Microsoft rankMicrosoft
    Feb 27, 2020
    Geoff165 - To confirm, are you saying that using the --disable-features=PostQuantumCECPQ2 command line flag unblocks your browsers too?

Resources