Tuesday, April 4, 2017

Google Chrome cannot access any https:\\ website and the return error is "Your connection is not private" (NET:ERR_CERT_WEAK_SIGNATURE_ALGORITHM)

Problem:

Google Chrome cannot access any https:\\ website and the return error is "Your connection is not private" (NET:ERR_CERT_WEAK_SIGNATURE_ALGORITHM)

image

Affected Users:

Users who is new install Google Chrome v.56 or above (Existing user who have chrome installed and upgrade to v.56 or above did not affected)

 

Reason:

Proxy CA certificate still using SHA-1, it cause Google Chrome did not allow all https:\\ website access due to it remove support for SHA-1 certificate.

image

image

Workaround Solution:

Create a registry key:
EnableSha1ForLocalAnchors and Value = 1
Whether SHA-1 signed certificates issued by local trust anchors are allowed
Data type:
Boolean [Windows:REG_DWORD]
Windows registry location:
HKLM\Software\Policies\Google\Chrome\EnableSha1ForLocalAnchors

image

 

Remark:
When this setting is enabled, Google Chrome allows SHA-1 signed certificates as long as they successfully validate and chain to a locally-installed CA certificates.

Note that this policy depends on the operating system certificate verification stack allowing SHA-1 signatures. If an OS update changes the OS handling of SHA-1 certificates, this policy may no longer have effect. Further, this policy is intended as a temporary workaround to give enterprises more time to move away from SHA-1. This policy will be removed on or around January 1st 2019.

 

Issue fixed:

image

 

Reference:
https://productforums.google.com/forum/#!topic/chrome/nIHIV7DGBPc;context-place=topicsearchin/chrome/category$3ACanary%7Csort:relevance%7Cspell:false
https://www.reddit.com/r/networking/comments/60h4h1/bluecoat_proxy_and_chrome_57/?st=j11gnmvm&sh=bb196a17
https://threatpost.com/google-removing-sha-1-support-in-chrome-56/122041/
https://blog.gslin.org/archives/2016/11/21/6961/google-chrome-%E5%B0%87%E5%9C%A8-2017-%E7%9A%84-56-%E7%89%88%E5%81%9C%E6%AD%A2%E6%94%AF%E6%8F%B4-sha-1-ssl-certificate/
http://winintro.com/?Category=Chrome&Policy=Google.Policies.Chrome%3A%3AEnableSha1ForLocalAnchors
https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html
https://www.chromium.org/administrators/policy-list-3#EnableSha1ForLocalAnchors

An update to our SHA-1 deprecation roadmap
Read more at https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/#botVpEml4p81z0Vy.99

Print Friendly and PDF
Share/Bookmark

No comments:

Post a Comment