Microsoft Edge changes TLS server certificate verification - which impacts DPI-SSL
anyone who is using DPI-SSL and the Microsoft Edge Browser might be facing some issues in the near future.
MS decided to switch from trusting the Certificate Store in the OS to a built-in list in the Browser. IMHO a bold move but they might have their reasons. This will have a direct impact for trusting your DPI-SSL CA Certificate and you should make your self aware of this in time. Keep your eyes peeled for MS Edge 109 and have your tests finished before 111 which might break the DPI-SSL trust.
@SuroopMC does this need to be addressed by Capture Client? I can't tell if it's possible to push certs into that list like it was possible for Firefox.
Thanks for pointing this out @BWC !
I think the key line here is:
In addition to trusting the built-in roots that ship with Microsoft Edge, the browser will also query the underlying platform for—and trust—locally installed roots that users and/or enterprises installed.
So locally trusted roots should, in theory, still work even after the change.
@TKWITS that's what I thought first as well, but this drove me somewhat over the cliff:
Microsoft recommends that enterprises that have break-and-inspect proxies or other scenarios involving TLS server certificates issued by roots not in the Microsoft CTL to proactively test with the policy enabled in Microsoft Edge 109 and report any compatibility issues to Microsoft.
In Microsoft Edge 111, we plan to remove support for the MicrosoftRootStoreEnabled policy.
Doesn't this mean that with Edge 111 and up it will not look into the OS Cert Store any longer?
Unsurprisingly the wording is unclear. It's clear the MicrosoftRootStoreEnabled policy will be allowed temporarily, but not whether Edge will still look at the OS Cert Store post removal of said policy.
The line I pointed out preceded any text about the policy.
Still good information to have.
Tim, I've played around with it a bit with Edge 110, but no matter if I enable or disable this flag my system-wide DPI-SSL is accepted and now browser certificate warnings pop up. Honestly I couldn't figure out that Edge isn't using the System Cert Store.
Is it a nothing burger or am I just not looking at the right places?
Not sure, havent had the time to investigate myself.