Codebase Browser
chromium
Go to App

chromium/components/policy/resources/templates/policy_definitions/Miscellaneous/RSAKeyUsageForLocalAnchorsEnabled.yaml 

caption: Check RSA key usage for server certificates issued by local trust anchors
default: null
deprecated: true
desc: |-
  The X.509 key usage extension declares how the key in a certificate may be
  used. Such instructions ensure certificates are not used in an unintended
  context, which protects against a class of cross-protocol attacks on HTTPS and
  other protocols. For this to work, HTTPS clients must check that server
  certificates match the connection's TLS parameters.

  Starting in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 124, this
  check is always enabled.

  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 123 and earlier have the
  following behavior:

  If this policy is set to enabled,
  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will perform this check.
  This helps prevent attacks where an attacker manipulates the browser into
  interpreting a key in ways that the certificate owner did not intend.

  If this policy is set to disabled,
  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will skip this check in
  HTTPS connections that both negotiate TLS 1.2 and use an RSA certificate that
  chains to a local trust anchor. Examples of local trust anchors include
  policy-provided or user-installed root certificates. In all other cases, the
  check is performed independent of this policy's setting.

  If the policy is not configured,
  <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will behave as if the
  policy is enabled.

  Connections which fail this check will fail with the error
  ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a
  misconfigured certificate. Modern ECDHE_RSA cipher suites use the
  "digitalSignature" key usage option, while legacy RSA decryption cipher suites
  use the "keyEncipherment" key usage option. If unsure, adminstrators should
  include both in RSA certificates meant for HTTPS.
example_value: true
features:
  dynamic_refresh: true
  per_profile: false
items:
- caption: Enable RSA key usage checking
  value: true
- caption: Disable RSA key usage checking
  value: false
- caption: Use the default setting for RSA key usage checking
  value: null
owners:
- [email protected]
- [email protected]
schema:
  type: boolean
supported_on:
- chrome.*:116-123
- chrome_os:116-123
- android:116-123
- fuchsia:116-123
tags:
- system-security
type: main