Issues with HTTPS filtering in Google Chrome

Starting from version 58+ Google Chrome checks for presence of subjAltName extension in SSL certificates presented by the remote sites. See topic “Remove support for commonName matching in certificates”, RFC 2818.

If you have HTTPS filtering enabled, Squid decrypts the connections and mimicks site certificates. If subjectAltName is present it is mimicked too and browsing continues without any problems.

Sometimes though Squid needs to generate a mimicked certificate without actually connecting to the remote site. The following topics describe several issues that may appear.