chrome 在 linux 下今天爆发, 绝大多数 https 访问不了.
rainysia · 2014-09-15 17:37:12 +08:00 · 7545 次点击这是一个创建于 3703 天前的主题,其中的信息可能已经有所发展或是发生改变。
今天周一, 回公司后打开邮箱发现thunderbird和iceweasel(firefox)下web版的outlook都访问不了. 于是发邮件个Technical support group,
当时报错如下
===我是错误的分割线 Start========
Secure Connection Failed
An error occurred during a connection to cdcmail.synnex.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
===我是错误的分割线 End=========
TSG让我等会儿重试下. 几分钟后重试可以收发了, 不过速度下降了.
接下来, 大约半个小时后, 我有需要连github, 发现连不上了
https://ruby-china.org https://github.com 都连不上了.
点开github
报错
===我是错误的分割线 Start========
Your connection is not private
Attackers might be trying to steal your information from github.com (for example, passwords, messages, or credit cards).
ReloadHide advanced
github.com normally uses encryption to protect your information. When Chrome tried to connect to github.com this time, the website sent back unusual and incorrect credentials. Either an attacker is trying to pretend to be github.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.
You cannot visit github.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
NET::ERR_CERT_AUTHORITY_INVALID
===我是错误的分割线 End=========
点开证书一看, 机构不是Digi那个. firefox下可以正常访问, 我加了例外. 但是chrome就是不让加例外. 怎么办呢? 有人知道这个chrome的证书流程吗
Common Name (CN) github.com
Organization (O) GitHub, Inc.
Organizational Unit (OU) <Not Part Of Certificate>
Serial Number 3F:C2:EE:F3
Issued By
Common Name (CN) FortiGate CA
Organization (O) Fortinet
Organizational Unit (OU) Certificate Authority
当时报错如下
===我是错误的分割线 Start========
Secure Connection Failed
An error occurred during a connection to cdcmail.synnex.com. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
===我是错误的分割线 End=========
TSG让我等会儿重试下. 几分钟后重试可以收发了, 不过速度下降了.
接下来, 大约半个小时后, 我有需要连github, 发现连不上了
https://ruby-china.org https://github.com 都连不上了.
点开github
报错
===我是错误的分割线 Start========
Your connection is not private
Attackers might be trying to steal your information from github.com (for example, passwords, messages, or credit cards).
ReloadHide advanced
github.com normally uses encryption to protect your information. When Chrome tried to connect to github.com this time, the website sent back unusual and incorrect credentials. Either an attacker is trying to pretend to be github.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chrome stopped the connection before any data was exchanged.
You cannot visit github.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
NET::ERR_CERT_AUTHORITY_INVALID
===我是错误的分割线 End=========
点开证书一看, 机构不是Digi那个. firefox下可以正常访问, 我加了例外. 但是chrome就是不让加例外. 怎么办呢? 有人知道这个chrome的证书流程吗
Common Name (CN) github.com
Organization (O) GitHub, Inc.
Organizational Unit (OU) <Not Part Of Certificate>
Serial Number 3F:C2:EE:F3
Issued By
Common Name (CN) FortiGate CA
Organization (O) Fortinet
Organizational Unit (OU) Certificate Authority
第 1 条附言 · 2014-09-15 18:36:39 +08:00
我的OS是debian 7.6
刚才去测了下同事的机器, 一共试了6台,3台ubuntu的机器, 都可以访问,
3台win7的机器, 其中一台情况和我一模一样.
刚才去测了下同事的机器, 一共试了6台,3台ubuntu的机器, 都可以访问,
3台win7的机器, 其中一台情况和我一模一样.
9 条回复 • 2014-09-16 10:53:35 +08:00
 |
1
aa45942 2014-09-15 17:40:44 +08:00
证书不对吧,你的chrome是不是出问题了,可能被装了恶意插件或者拓展
|
 |
2
ryd994 2014-09-15 18:00:00 +08:00
你根证书被清了?
|
 |
3
hjc4869 2014-09-15 18:07:39 +08:00
这个不叫爆发叫爆炸……
|
 |
4
ihacku 2014-09-15 18:26:48 +08:00
这是被安全网关把证书替换掉了吧 FortiGate
所谓的上网行为管理 |
 |
5
rainysia OP |
|
7
ryd994 2014-09-15 20:26:02 +08:00  1
当然,到底是恶意的还是只是公司管理,这个你得问tech
|
 |
8
silverfox 2014-09-16 00:39:27 +08:00 1
我来抛砖引玉一下,以下是我的推测,不能保证完全正确。
FortiGate 是专门做防火墙的厂商,应该是你们公司新上了一套设备用来监控员工的上网行为。它在解析 HTTPS 流量,所以需要将那些使用 HTTPS 通信的网站证书全换成自己签发的。 Github 这个网站表明自己是支持 HSTS 的,而楼主机器上的 Chrome 之前记录了 github.com 证书的公钥指纹。这回被替换掉的证书肯定无法与之前的一致,所以浏览器识别为中间人攻击,拒绝连接。其他人机器之前没有访问过 Github 所以这时可以正常打开。 不过我认为他们还是有一些使用 HTTPS 的网站是无法打开的,因为 Chrome 内置了一部分网站证书的签发者正确的证书。所以如果网站的签发者不正确(FortiGate CA),一样拒绝连接。 https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.certs 解决办法: 上策:向领导建议不要解析 HTTPS 网站流量 下策:使用 Firefox |
Select Language