方案回顾
Chrome变更导致自签名证书验证方式发生变化
这个方案在Chrome105之前都是运行良好的,然后在Chrome105+ Chrome实施了Chrome Root Program policy(参考阅读),而从Chrome 105之后自签名证书可能不生效(当使用Chrome Root Store),我们可以细看一下相关的改变。
-
从维基百科的Google_Chrome_Version_history可以查到Chrome 105的Windows版本是2022-08-30发布的,截止到最新的Chrome Relase history,这个Relase似乎没有说这个事情,但是可以得到发布时间,以便我们后面推理
-
Chrome Root Program Policy版本变更过程,2022/9/1号 Update to relect the launch of the Chrome Root Program
Version | Date | Note |
1 | 2020/12/20 | Initial release |
1.1 | 2022/6/1 | Updated in anticipation of the future Chrome Root Program launch.
Updates include, but are not limited to:future-dated applicant requirements for dedicated TLS-hierarchies and key-pair freshnessclarification of audit expectationsrequirements for cross-certificate issuance notificationdescription of and requirements related to an annual self-assessment processan outline of priority Chrome Root Program initiatives |
1.2 | 2022/9/1 | Updated to reflect the launch of the Chrome Root Program.
Updates include, but are not limited to:removal of pre-launch discussionclarifications resulting from the June 2022 Chrome CCADB surveyminor reorganization of normative and non-normative requirements |
1.3 | 2023/1/6 | Updated to include the CCADB Self-Assessment |
-
接下来我们看下ChromeRootStoreEnabled的说明,这是个实验性的到Chrome 113时会被删除
-
superuser.com(stackoverflow的兄弟网站)上发布的一个问题,从问题的解决过程中用户也是遇到同样的问题, 而IIS自带的自签名证书也同样不受信任
结论
当 Chrome 105 +的ChromeRootStoreEnabled没有设置或者flags/#chrome-root-store-enabled没有设置时,结合Chrome 2022/9/1 变更的 “Updated to reflect the launch of the Chrome Root Program”,“Chrome Root Store may be used depending on feature launch process” 这两点以及上述第4.点的,可以得出Chrome 105 +使用的是Chrome Root Store来验证自签名证书,而很明显这个Chrome Root Store里面不包含我们的证书。
验证方式(需要具备google访问能力)
测试版本Chrome 110
-
Chrome Root Store设置Default ,预期结果页面无法加载
-
Chrome Root Store is Enabled ,预期结果页面无法加载
-
Chrome Root Store is Disabled ,预期结果页面可以加载