dotjs icon indicating copy to clipboard operation
dotjs copied to clipboard

Published 20 hours ago verified publisher icon defunkt

Use certificate with proper subjectAltName (Chrome 58 compatibility)

Open padde opened this issue 7 years ago • 1 comments

Problem description

Dotjs stopped working with Chrome 58. Chrome will no longer accept a certificate without subjectAltName and will display this error instead:

Attackers might be trying to steal your information from localhost (for example, passwords, messages or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is localhost; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection.

For the announcement, see https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/IGT2fLJrAeo/csf_1Rh1AwAJ

How the valid self-signed certificate was generated

For future reference, the openssl command used to generate the certificate was based on this StackOverflow post:

openssl req -config localhost.conf -new -x509 -sha256 -newkey rsa:2048 -nodes \
    -keyout localhost.key.pem -days 36500 -out localhost.cert.pem

# localhost.conf

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = US
stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName            = Locality Name (eg, city)
localityName_default        = Localhost
organizationName         = Organization Name (eg, company)
organizationName_default    = Localhost
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Localhost
emailAddress            = Email Address
emailAddress_default        = [email protected]

[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ req_ext ]
subjectKeyIdentifier        = hash
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1

padde avatar May 16 '17 09:05 padde

This still works for me with chrome 71

keith avatar Dec 31 '18 20:12 keith