[squid-users] HTTPS chrome - SHA1 this page is insecure

Diogenes S. Jesus splash at gmail.com
Thu Sep 1 09:37:09 UTC 2016


The answer why you only see it on Chrome is because since Chrome >= 41:

"Sites with end-entity certificates that expire on or after 1 January 2017,
and which include a SHA-1-based signature as part of the certificate chain,
will be treated as “affirmatively insecure”. Subresources from such domain
will be treated as “active mixed content”."
Source:
https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

Best regards

On Wed, Aug 31, 2016 at 5:24 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 08/31/2016 09:15 AM, Amos Jeffries wrote:
> > On 1/09/2016 2:26 a.m., erdosain9 wrote:
> >> Hi.
> >> Im using ssl-bump.. all ir working fine, but i want to know if it is
> >> possible that which is not seen crossed out and red "https".
> >> This happen just in Chrome
> >> This page is insecure (broken HTTPS)
> >> SHA-1 Certificate
> >> The certificate for this site expires in 2017 or later, and the
> certificate
> >> chain contains a certificate signed using SHA-1.
>
> Sounds like you are running an old Squid version.
>
>
> > This requires changes to the certificate generator used by SSL-Bump.
> > IIRC there were some patches, but I can't find them right now in the
> > changesets. If the issue exists in current releases then please ask on
> > squid-dev.
>
> See http://www.squid-cache.org/Doc/config/sslproxy_cert_sign_hash/
>
>
> > Of course, its possible the site realy does have a SHA1 certificate and
> > Squid is just passing on the real details. The mimic feature is designed
> > to ensure TLS is actually transparent as best we can manage.
>
> I have not checked, but I doubt we mimic the signing algorithm (because
> it would make client-Squid communication less secure?). If we do, we
> should update the wiki page that lists what is being mimicked.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 

--------

Diogenes S. de Jesus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160901/9bf829f8/attachment.html>


More information about the squid-users mailing list