3

After performing an upgrade on Apache and modssl, I get a security warning in the security logo of the URL bar in Chrome when visiting my website on Apache server:

The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.

I have checked that the certificate contains both SHA1 and SHA256 fingerprints and is not expired. When viewed with Firefox, there is no issue. However, a check with Qualys shows the signature algorithm as SHA1 with RSA instead of SHA256. Also, the connection is using TLS 1.2.

What could be the cause of such warning and how to solve it?

Sorry, I just realize:

This site which is using SHA1 has no such warning, but this site does.

user273867
  • 33
  • 4

1 Answers1

4

A fingerprint (sometimes thumbprint) is not something that is in the certificate, instead it's a hash calculated after the fact and shown to facilitate easier manual comparison of certificates.

It's important not to confuse this with the certificate's signature, which is an actual value in the certificate.

From the question it sounds like the signature of this certificate is indeed based on SHA-1.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Thank you. Indeed, I went back to check my certificate signing request, which to my dismay, uses SHA1. – user273867 Mar 01 '15 at 11:02
  • Wait a minute. [This site](https://www.bountysource.com/) which is using SHA1 has no such warning, but [this site](https://www.beiley.com/) does. – user273867 Mar 01 '15 at 11:18
  • @user273867 I see sha256RSA certificates in both of those examples. (And no warnings regarding this.) – Håkan Lindqvist Mar 01 '15 at 11:26
  • @user273867 As for Chrome specifically, the criteria for when it warns about SHA-1 certificates is a combination of the use of SHA-1 and how far in the future the expiration date is. http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html – Håkan Lindqvist Mar 01 '15 at 11:28
  • I am using Chrome 40.0 and seeing warning on the second site. I rechecked and you are correct both are using SHA256, but the intermediate CA in the second one uses SHA1 with validity after 2017, which might explain the warning that I see. Can I check with you what Chrome version are you using? – user273867 Mar 01 '15 at 11:37
  • @user273867 Chrome 40 as well as 43 (canary). It appears we do not see the same certificates (I do not see a SHA-1 intermediate cert). How does the certificate chain you see compare to what is shown at eg https://www.ssllabs.com/ssltest/analyze.html?d=www.beiley.com ? – Håkan Lindqvist Mar 01 '15 at 11:45
  • Strange, it shows SHA256. – user273867 Mar 01 '15 at 11:53
  • @user273867 You may want to look into what is happening on your end. Are the root and intermediate certs that you see at least from a known CA (compare by fingerprint, not name)? – Håkan Lindqvist Mar 01 '15 at 12:20
  • I can see the SHA1-signed intermediate certificate, but only if I use Firefox. Anything else I try gets me the other one. Is this a pool of servers behind a load balancer? Maybe just one of the servers hasn't been upgraded. –  Mar 01 '15 at 15:03