Dec 11 2019 01:13 AM
Hello everybody,
I'm currently using Microsoft Edge [Version 80.0.355.1 (Official build) dev (64-bit)] in my company network. Since few days ago I started having problems trying to load some websites such as https://www.gazzetta.it . When I try to access these sites I get the error:
Your connection isn't private
Attackers might be trying to steal your information from <a href="http://www.gazzetta.it" target="_blank">www.gazzetta.it</a> (for example, passwords, messages, or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID
On some websites I can click "advanced" and then continue, some other times instead I can't.
If I try opening the same websites with Google Chrome I get no error, everything works smoothly.
I guess it could be something related to my company network configuration (we are using Zscaler as a proxy) but I don't understand why it is happening only with some websites and why this issue started only few days ago.
I also compared the certificate details provided by Edge and Chrome, they differ for some reason:
EDGE:
CHROME:
Any idea?
Dec 11 2019 02:07 AM
Dec 11 2019 02:17 AM
Hi @HotCakeX, thanks for your help. I tried disabling all the extensions and the tracking prevention but nothing changed.
I would like to provide more details but didn't find anything useful (e.g. the browser console doesn't show any error).
Dec 11 2019 02:31 AM
Dec 13 2019 01:23 AM
@HotCakeX thanks for the detailed information, I submitted the feedback with diagnostics attached. In the meanwhile I noticed a weird behavior: my PC is configured to use the Zscaler proxy through a configuration script, if I disabled it I am able to reach pages that usually don't work, even though the requests are still passing through Zscaler.
With Chrome, by the way, everything works in both case (proxy script enabled/disabled).
Dec 16 2019 06:39 AM
I have the exact same problem with Edge and ZScaler. If it is on I can't get to pages like make.powerapps.com. If I turn ZScaler off it is working fine. It is working all the time in Chrome.
Dec 18 2019 03:23 AM
@Par Linderoth thanks for sharing your experience. When you talk about disabling Zscaler, do you mean you are using a PAC script for proxy configuration too?
Dec 18 2019 04:22 AM
@paolot No, I actually just have the option to exit the ZScaler application installed on my computer.
Feb 27 2020 09:37 AM - edited Feb 27 2020 10:03 AM
There is a known bug in ZScaler here, for which you will need to install their latest update.
You can verify if that ZScaler's bug is the root cause by closing all Edge instances and hitting Win+R, then running
msedge.exe --disable-features=PostQuantumCECPQ2
If that works, then something on your network path is not compatible with large ClientHello messages in the HTTPS handshake. For instance, older versions of ZScaler are known to have a bug whereby they fail to see the ServerNameIndicator TLS extension if the ClientHello spans multiple packets, and when that happens, the server typically will return the wrong certificate, resulting in a NET::ERR_CERT_COMMON_NAME_INVALID error message. ZScaler has released a fix for this that you'll need to apply.
In other cases, the network device is completely incompatible with handshakes that span multiple packets and an ERR_CONNECTION_RESET will be seen instead. You'll need to talk to your network administrators about contacting the vendor of your networking equipment about getting a fix.
The reason this issue appeared and disappeared only to reappear again is because the PostQuantumCECPQ2 feature was changed to "off-by-default" for version 80/81 but it is now enabled again for version 82.
The upstream issue can be found here: https://crbug.com/1028602