Updates:
        Cc: da...@chromium.org patr...@chromium.org

Comment #3 on issue 5313 by w...@chromium.org: Any HTTPS site gets  
the "Server's certificate cannot be checked" error on one laptop
http://code.google.com/p/chromium/issues/detail?id=5313

Using CAPI2 Diagnostics described in that TechNet article, I found out
what's wrong with this laptop.

It turns out that CAPI (CryptoAPI, the Windows system crypto library)
uses WinHTTP to download CRLs or talk to the OCSP responders, and CAPI
apparently let WinHTTP use WinHTTP's own proxy settings, as opposed to
IE's proxy settings.

On this laptop, WinHTTP's proxy settings have been set to use a test
Squid proxy server running on ananthak's machine, and that proxy server
requires HTTP digest authentication.  So CAPI's attempts to download
CRLs or get OCSP responses all fail with the HTTP 407 proxy authentication
required status code.  You can use the 'netsh' tool to see the WinHTTP
proxy settings.  In a Command Prompt, type 'netsh'.  At the netsh prompt,
type 'winhttp' to change to the winhttp context.  Then type "show proxy".
You will see that "Proxy Server(s)" is set to the test proxy server on
ananthak's machine.  If you type 'reset proxy' to reset the WinHTTP
proxy settings to default (direct access), then Google Chrome won't get
the "Server's certificate cannot be checked" error.

Note that CAPI has a disk cache for CRLs and OCSP responses.  When I
reset the WinHTTP proxy settings to the default, I visited
https://www.paypal.com/ and https://www.bankofamerica.com/.  So the
CRLs and OCSP responses related to these two sites are already in
the CAPI disk cache, and now Google Chrome doesn't get the
"Server's certificate cannot be checked" error with these two sites
on this laptop, even after I changed the WinHTTP proxy settings back
to ananthak's test proxy server.

The remaining work is:
1. Figure out why IE still shows good SSL status, even EV status,
without doing OCSP.
2. Find out if it's possible to pass proxy settings to CAPI for its
use of WinHTTP, because we don't want to use WinHTTP's own proxy
settings.

-- 
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Chromium-bugs" group.
To post to this group, send email to chromium-bugs@googlegroups.com
To unsubscribe from this group, send email to 
chromium-bugs+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/chromium-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to