Issue 139606 in chromium: Invalid Server Certificate /Translation problem

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined OS-Windows

New issue 139606 by steve.ya...@gmail.com: Invalid Server Certificate
/Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Am trying to help a neighbour with a problem he has when using Chrome on
his PC, he has Windows 7 Home premium +SP1 but whenever he accesses a
https site he gets an Invalid Server Certificate error and whenever he
opens a normal http page in English expecting to be offered a French
translation there is a "Chrome cannot translate this page due to a network
problem" message. I am assuming the 2 errors are related. I have
re-installed Chrome twice but with no apparent change. Can anyone help ?

Thanks

Steve

Google Chrome 20.0.1132.57 (Build officiel 145807) m
Système d'exploitation Windows
WebKit 536.11 (@122148)
JavaScript V8 3.10.8.20
Flash 11,3,300,265
Agent utilisateur Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11
Ligne de
commande "C:\Users\olivier\AppData\Local\Google\Chrome\Application\chrome.exe"
--flag-switches-begin --flag-switches-end
Chemin d'accès exécutable
C:\Users\olivier\AppData\Local\Google\Chrome\Application\chrome.exe
Chemin d'accès au profil
C:\Users\olivier\AppData\Local\Google\Chrome\User Data\Default

[chro...@googlecode.com]

Updates:
Labels: -Area-Undefined Area-Internals Internals-Network-SSL

Comment #1 on issue 139606 by r...@chromium.org: Invalid Server Certificate
/Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

(No comment was entered for this change.)

[chro...@googlecode.com]

Comment #2 on issue 139606 by a...@chromium.org: Invalid Server Certificate
/Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Can you provide a net-internals dump?
http://www.chromium.org/for-testers/providing-network-details

This is most frequently caused by `firewall' or anti-virus software on the
computer trying to intercept secure connections.

[chro...@googlecode.com]

Comment #3 on issue 139606 by steve.ya...@gmail.com: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Will do this on Monday, don't have access to PC at the moment

[chro...@googlecode.com]

Comment #4 on issue 139606 by steve.ya...@gmail.com: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

2 files attached. bbc file is an attempt at getting a page translated (into
French), gmail file is an attempt to open a https page

Hope this will allow you to shed some light on the problem

Thanks for taking the time to help

Attachments:
gmail_net-internals-log.json 631 KB
bbc_net-internals-log.json 1.6 MB

[chro...@googlecode.com]

Comment #5 on issue 139606 by a...@chromium.org: Invalid Server Certificate
/Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Everything appears to be working fine for Chrome, but when Chrome is asking
Windows to verify the (correct) certificate, it's taking 15 seconds and
returning an authority error.

Unfortunately, we don't get a lot of insight into the Windows CryptoAPI
with this log. The best explanation that I can think of is that the Equifax
root isn't known to Windows. When that happens, Windows will try to contact
Microsoft to find the unknown root. That could be timing out after 15
seconds.

Does IE work for https://gmail.com? Does Windows Update have any problems?

[chro...@googlecode.com]

Comment #6 on issue 139606 by steve.ya...@gmail.com: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Am not sure about IE but Firefox works fine, I used it to send those files
via gmail to my account

[chro...@googlecode.com]

Comment #7 on issue 139606 by rsl...@chromium.org: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Hi Steve, Firefox uses a different way of verifying certificates
independent of how Chrome and IE verify certificates, which is why agl
asked about IE. If you have a chance, could you please test?

This is typically indicative of the machine being corrupted, either do to
malware or to local error. Some users have reported that installing
http://www.microsoft.com/en-us/download/details.aspx?id=9490 has corrected
the corruption for them. Others have reported success installing Microsoft
Security Essentials (
http://windows.microsoft.com/en-US/windows/products/security-essentials )
and scanning for malware.

If all else fails, Microsoft's "official" solution is to manually
re-install the roots part of the Microsoft root program -
http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

Note that, as of Windows Vista, these roots are supposed to be
automatically installed whenever accessing a site that uses it. It's
possible that proxy settings have been configured that point to an invalid
proxy, preventing this mechanism from working.
http://support.microsoft.com/kb/2623724 details in depth how these settings
are configured.

CryptoAPI (used by IE and Chrome) uses the WinHTTP settings, which can be
configured with the 'netsh' command.
http://technet.microsoft.com/en-us/library/bb430772.aspx provides some
user-friendly descriptions of these settings.

[chro...@googlecode.com]

Comment #8 on issue 139606 by steve.ya...@gmail.com: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Hello

IE gives a warning about an invalid certificate but will allow access to
https://gmail.com if I insist

If I try to install the Windows UPdate (KB2524375) I get a message saying
that it does not apply to this machine

Netsh does not show any proxy server being used

I don't understand how to re-install the roots part of Microsoft root
program, that link didn't seem to have any instructions, just a list of
certificate issuing bodies (that didn't include Google)

Am currently scanning the PC with MSE (which was already installed )

Thanks for the help so far

Steve

[chro...@googlecode.com]

Comment #9 on issue 139606 by rsl...@chromium.org: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Hi Steve,

Right, the behaviour of IE is different because it does not support some of
the enhanced security features in Chrome that are designed to protect users
from attack. Under certain conditions, and based on settings configured by
the site operator (eg: gmail.com), users are not allowed to override
certificate warnings.

Unfortunately, in some situations, it's impossible to distinguish an attack
from a misconfiguration, which is how you've ended up in this position.

One additional confirmation about your local machine having some form of
misconfiguration or corruption would be attempting to load
https://ssltest15.bbtest.net/ in either Chrome or IE. I would expect, based
on your logs, that it will fail to load.

The Microsoft root program I listed (the social.technet URL) simply has all
of the certificates that are part of the Microsoft root program and the
links to obtain them. To actually install a root certificate, the
directions at http://technet.microsoft.com/en-us/library/cc754841.aspx can
be used.

Before going too far, I'd try installing the Update for Root Certificates (
http://support.microsoft.com/kb/931125 ). Though it's listed for Windows
XP, I've heard mixed reports that it may run and correct Windows 7.

If it doesn't, however, you'll need to manually install the appropriate
root certificates that have been corrupted in your install. Based on the
URL you're trying to access, I suspect this includes one or more of
the "Equifax Secure Certificate Authority" root certs, which are listed
under the VeriSign column in the Microsoft table. This can actually be
downloaded from
http://www.geotrust.com/resources/root-certificates/index.html - you can
see the Certificate Fingerprint (SHA-1) matches what is listed in
Microsoft's root program.

Downloading and installing this certificate "should" restore connectivity.
As to how your Windows installation got to this point, I'm afraid that may
be a question for the Microsoft forums. As I mentioned, a variety of users
who have filed similar bug reports have found malware as the root cause,
but there may be a wide variety of reasons.

[chro...@googlecode.com]

Updates:
Status: Archived

Comment #11 on issue 139606 by rsl...@chromium.org: Invalid Server

Certificate /Translation problem
http://code.google.com/p/chromium/issues/detail?id=139606

Archiving old issue due to lack of feedback.

If you're still encountering problems with Chrome, please respond.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings