Issues with HTTPS filtering in Google Chrome

Starting from version 58+ Google Chrome checks for presence of subjAltName extension in SSL certificates presented by the remote sites. See https://developers.google.com/web/updates/2017/03/chrome-58-deprecations topic “Remove support for commonName matching in certificates”, RFC 2818.

If you have HTTPS filtering enabled, Squid decrypts the connections and mimicks site certificates. If subjectAltName is present it is mimicked too and browsing continues without any problems.

Sometimes though Squid needs to generate a mimicked certificate without actually connecting to the remote site. The following topics describe several issues that may appear.

• DNS lookup of non existing doman name (or any other Squid error)
• Older Version of Web Safety < 5.1 - incorrect order of SSL bump directives
• Google Chrome cannot update itself through Squid Proxy