No filtering on formula1.com – can't validate certificate

[SebastianRasch]

AdGuard version

2.12

Browser version

Safari 17.2

OS version

macOS 14.2

What filters do you have enabled?

AdGuard Base filter

What Stealth Mode options do you have enabled?

No response

Support ticket ID

No response

Issue Details

Steps to reproduce:

1. Go to https://formula1.com
2. In the browser assistant popup, check the lock icon next to the URL
3. "HTTPS filter was not performed" or "Could not verify this website's certificate"

Expected Behavior

The certificate seems fine and is not expired when I check it myself so I would expect that AdGuard performs filtering

Actual Behavior

AdGuard thinks for some reason that the certificate is expired and doesn't filter this website

Screenshots

Screenshot 1:


Screenshot 2:


Additional Information

Also tested on Microsoft Edge 120.0, same problem

[Bo98]

Seeing this happen to a ton of websites. A SCT ct log not found is logged whenever it happens:

2023-12-21 04:50:50.242204+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT list size (x509) = 3
2023-12-21 04:50:50.242218+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT ct log not found
2023-12-21 04:50:50.242226+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT log id = PxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4=
2023-12-21 04:50:50.242233+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT origin = SCT_EMBEDDED
2023-12-21 04:50:50.242247+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT signature size = 72
2023-12-21 04:50:50.242364+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT log id = fVkeEuF4KnscYWd8Xv340IdcFKBOlZ65Ay/ZDowuebg=
2023-12-21 04:50:50.242370+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT origin = SCT_EMBEDDED
2023-12-21 04:50:50.242381+0000 [com.adguard.mac.adguard.network-extension:176429] D: (CL: ) AGCertificateVerifier: SCT signature size = 71
2023-12-21 04:50:50.242509+0000 [com.adguard.mac.adguard.network-extension:176365] D: (CL: ) SSLDataProvider-CertVerify: [id=1002331] Verification error: CT_SCT_POLICY_CHECK_FAILED: Not enough valid SCTs
2023-12-21 04:50:50.242523+0000 [com.adguard.mac.adguard.network-extension:176365] D: (CL: ) PF: id=1002331 SSLFilter::onVerifyComplete Certificate www.formula1.com is not trusted (err=2, ctx=0x6000022ba340)

2023-12-21 04:54:25.682773+0000 [com.adguard.mac.adguard.network-extension:176432] D: (CL: ) AGCertificateVerifier: SCT list size (x509) = 2
2023-12-21 04:54:25.682790+0000 [com.adguard.mac.adguard.network-extension:176432] D: (CL: ) AGCertificateVerifier: SCT log id = SLDja9qmRzQP5WoC+p0w6xxSActW3SyB2bu/qznYhHM=
2023-12-21 04:54:25.682799+0000 [com.adguard.mac.adguard.network-extension:176432] D: (CL: ) AGCertificateVerifier: SCT origin = SCT_EMBEDDED
2023-12-21 04:54:25.682818+0000 [com.adguard.mac.adguard.network-extension:176432] D: (CL: ) AGCertificateVerifier: SCT signature size = 71
2023-12-21 04:54:25.682993+0000 [com.adguard.mac.adguard.network-extension:176432] D: (CL: ) AGCertificateVerifier: SCT ct log not found
2023-12-21 04:54:25.683055+0000 [com.adguard.mac.adguard.network-extension:176358] D: (CL: ) SSLDataProvider-CertVerify: [id=1002383] Verification error: CT_SCT_POLICY_CHECK_FAILED: SCTs from at least 2 distinct log operators are required

Likely due to https://github.com/AdguardTeam/CoreLibs/issues/1833.

[AlexandrPkhm]

Hi @SebastianRasch

Please try to update to the latest version of AdGuard for Mac which is v2.13. This issue should be fixed in this version. Please let us know if you still experience this issue with v2.13 installed.

[SebastianRasch]

Thanks @AlexandrPkhm, now it's working perfectly on 2.13!