SSL Certificate Validation Issue

Issue with Chrome or Chromium 53

Context

Beginning with Chrome v53, Certificate Transparency ("CT") was required for Symantec sites (as announced at https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html ) The goal of such a policy is "Only trust Symantec if we're confident in CT". However, the CT information has a built-in build-time bomb of 10 weeks - after 10 weeks from build time, the CT code no longer believes it can trust in CT information. This is to ensure that an old Chrome client doesn't blindly trust logs known to be untrustworthy. Changes in the default response for CT from being an affirmative "Yes, it complies" to "No, I don't know" created a fail-closed timebomb, where, after 10 weeks from build time, Symantec sites fail to operate.

versions of Chrome 53 that are more than 10 weeks old now display this error message for all websites using Symantec certificates that were issued on or after June 1, 2016 (including from Symantec-owned brands like Thawte and GeoTrust).

Sample Error message

com.microsoft.aad.adal.AuthenticationException: Code:-11 primary error: 5 certificate: Issued to: CN=secure.aadcdn.microsoftonline-p.com,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US; Issued by: CN=Symantec Class 3 Secure Server CA - G4,OU=Symantec Trust Network,O=Symantec Corporation,C=US;

Solution

User needs to update chrome or chromium version to version 54 or higher. For updating webview version: https://play.google.com/store/apps/details?id=com.google.android.webview

User can go to playstore, search for Android System WebView.