How resolve certificate SHA-1 (chrome) - google-chrome

How resolve this problem in google chrome for my site:
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.
in Internet Explorer functions normally.

You resolve the problem by getting a new certificate that uses SHA2. The SHA1 algorithm has been proven to have collisions, which means someone could make up a fake certificate and impersonate your site.
Chrome on purpose warns and does not accept those certificates anymore.
Typically, if you revoke and re-issue a certificate with your CA, you will get credit for the remaining time of your existing certificate.
The problem is not with Chrome, but with your certificate being considered 'unsafe' and Chrome taking a hard stance to make sure things are actually secure.

Related

Windows Self Signed Certificate in Trusted Root not valid in Chrome 106

I'm using powershell New-SelfSignedCertificate to create a certificate and import into trusted root for a .netcore project.
It has been working fine, but has recently stopped, certificate doesn't expire until 2024.
I'm on Chrome 106.
Any ideas on why it would stop and how to fix?
Yes, Chrome has introduced its own certificate root store. They say this happened back in Chrome 105 but we've only started experiencing problems since Chrome 106 on enterprise environment.
On Windows you may disable this new feature via registry:
Create a REG_DWORD value ChromeRootStoreEnabled = 0 at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
Restart Chrome
Taken from chromeenterprise. But don't forget that disabling this feature without understanding what you do may be a security risk - not a big one in this case but anyway.
The docs actually state that the new root store takes locally trusted certificates into account:
The Chrome Certificate Verifier considers locally-managed certificates during the certificate verification process. This means if an enterprise distributes a root CA certificate as trusted to its users (for example, by a Windows Group Policy Object), it will be considered trusted in Chrome.
We use our own CA to sign test websites HTTPS certificates on enterprise environment. So we seemingly must not have been affected. But even though everyone on the dev team has our CA installed in trusted root - we still face this issue. I'm not sure whether it's a bug or there is something else we need to know about which CAs are accepted and which are not.
Update 2022-10-24
I found out that there is another local enterprise CA apart from out team's one. Сertificates issued by that CA are accepted by Chrome without disabling the new root store - so Chrome obviously does not ignore locally trusted certificates.
After some trial-and-error I've figured out that the problem was not about the CA certs - but about the endpoint CA-signed certificates. The old now-rejected test certificate contains these properties:
Basic Constraints: subject = not a CA, path length = 0
Key Usage: Digital Signature, Key Encipherment
Extended Key Usage: TLS Server, TLS Client + 9 internal custom OIDs
Subject Alternative Name: localhost + around 30 test websites DNS names in various domains
Removing the Basic Constraints property made Chrome finally accept the cert.
So there have been more changes to certificate validation procedure apart from the new root store. By far I haven't found any documentation about what exactly they've also changed. And AFAIK Basic Constraints is an absolutely fine property to have even in a non-CA certificate, so it looks like a bug in Chrome to me.

Chromium-based browsers refuse SSL certificate

When accessing https://www.twitch.tv on Chromium-based browsers (new Edge, Google Chrome, Opera) the following (commonly known) error appears:
Your connection isn't private
Attackers might be trying to steal your information from www.twitch.tv (for example, passwords, messages, or credit cards).
NET::ERR_CERT_REVOKED
When checking the SSL certificate, it states that is valid until June 13th, 2020. However, it also states that the certificate is withdrawn by the certificate authority.
Accessing the site from Firefox and from Chrome on another PC both work fine. Several SSL check websites also state that the certificate is fine.
I already tried the following:
Check date, time and timezone
Clear cookies and cache of the browser
Clear SSL state in internet options
Clear DNS cache
Temporarily disable anti-virus and windows defender
After an extensive search, I found a solution that worked for me. For those who have a similar problem: https://support.google.com/chrome/thread/24475945?hl=en

website in chrome with self-signed certificate is not secure

I got a very simple website without any link or something else. I created a self-signed certificate. (link to create self-signed certificate). After this I added it to my site in the IIS (link to add the self-signed certificate to IIS site). My Problem is now that my site is still not secure (local). Chrome, Firefox and IE are not accept my certificate. When I look if my certificate is valid: It's valid.
Can Anyone tell me why it's still not secure and how to fix it?
Self signed certificates are not trusted by default. You need to get the certificate from a trusted CA so that the users web browser trusts it. One recent example of a CA that issues free trusted certificates is Let's Encrypt.
I can see that you are using WordPress for your blog. Let's try a plugin really simple SSL. If you have any certificate install on your site it will detect and convert your pages in https. LetsEncrypt.org also is a way to obtain CA certificate.
You must need to install SSL certificate October 2017 onwards as per Google.
If you need further help read my blog to know that why we need SSL October onwards.
Hopefully, your issue will be resolved by a plugin.
Thank you

IE & Edge Certificate Revoked

I am having an issue with a website where IE & MS Edge & Chrome all believe that the certificate is revoked (firefox works fine)
Error from IE:
This organisation's certificate has been revoked.
Security certificate problems may indicate an attempt to trick you or intercept any data you send to the server.
I have run check on SSLLabs, and the only problem i can see there is that it uses SHA1 hashes. Am i just seeing this error because of the SHA1 RSA Signatures?
URL: https://www.gunemporium.com.au/
Yep, SHA-1 is completely broken, and does not provide any effective encryption.
I would more suggest that there is some SSL intercepting middlebox or AV software involved which changes the certificate and the issuer of the certificate. IE and Chrome both use the same CA store and proxy settings while Firefox has their own settings which would explain why you see it with IE and Chrome but not Firefox on the same PC and why you don't see it on another PC.
I would suggest to have a look at the certificate details (subject, issuer, fingerprint) and chain and compare what you see in Firefox with what you see in IE/Chrome.

Site uses SHA-2 but Chrome still warns about weak SHA-1

I have multiple sites secured with SSL. All is from the same provider. At one domain Chrome says:
This site uses a weak security configuration (SHA-1 signatures), so
your connection may not be private.
I tested the domain with ssllabs.com and I got an A. Also tested with shaaaaaaaaaaaaa.com and it says, my domain has a verifiable certificate chain signed with SHA-2.
Here are my SSL settings in Apache2:
SSLEngine on
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLInsecureRenegotiation off
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLCertificateFile /etc/ssl/certs/xxxcert.cert
SSLCertificateKeyFile /etc/ssl/private/xxxkey.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
I haven't got any errors in my error.log. Can somebody help me, where should I continue the debugging?
The problem is likely that a certificate upwards in the chain is using SHA1, whereas your own one is using SHA2. My advice is to see if you can find an updated version of your chain file which uses SHA2.
Given that Google announced this in September 2014, you would think any reputable certificate authority would be supplying secure chain files by now.
You can find more information on this particular issue here: Why Chrome Thinks your SHA-2 Certificate Chain is "Affirmatively Insecure"
More information on why Google are sunsetting SHA1 is available here: Why Google is Hurrying the Web to Kill SHA-1.