Updates: Cc: da...@chromium.org patr...@chromium.org Comment #3 on issue 5313 by w...@chromium.org: Any HTTPS site gets the "Server's certificate cannot be checked" error on one laptop http://code.google.com/p/chromium/issues/detail?id=5313
Using CAPI2 Diagnostics described in that TechNet article, I found out what's wrong with this laptop. It turns out that CAPI (CryptoAPI, the Windows system crypto library) uses WinHTTP to download CRLs or talk to the OCSP responders, and CAPI apparently let WinHTTP use WinHTTP's own proxy settings, as opposed to IE's proxy settings. On this laptop, WinHTTP's proxy settings have been set to use a test Squid proxy server running on ananthak's machine, and that proxy server requires HTTP digest authentication. So CAPI's attempts to download CRLs or get OCSP responses all fail with the HTTP 407 proxy authentication required status code. You can use the 'netsh' tool to see the WinHTTP proxy settings. In a Command Prompt, type 'netsh'. At the netsh prompt, type 'winhttp' to change to the winhttp context. Then type "show proxy". You will see that "Proxy Server(s)" is set to the test proxy server on ananthak's machine. If you type 'reset proxy' to reset the WinHTTP proxy settings to default (direct access), then Google Chrome won't get the "Server's certificate cannot be checked" error. Note that CAPI has a disk cache for CRLs and OCSP responses. When I reset the WinHTTP proxy settings to the default, I visited https://www.paypal.com/ and https://www.bankofamerica.com/. So the CRLs and OCSP responses related to these two sites are already in the CAPI disk cache, and now Google Chrome doesn't get the "Server's certificate cannot be checked" error with these two sites on this laptop, even after I changed the WinHTTP proxy settings back to ananthak's test proxy server. The remaining work is: 1. Figure out why IE still shows good SSL status, even EV status, without doing OCSP. 2. Find out if it's possible to pass proxy settings to CAPI for its use of WinHTTP, because we don't want to use WinHTTP's own proxy settings. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-bugs" group. To post to this group, send email to chromium-bugs@googlegroups.com To unsubscribe from this group, send email to chromium-bugs+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/chromium-bugs?hl=en -~----------~----~----~----~------~----~------~--~---