Hi All!

 

Starting January 1, 2016 most browsers are phasing out trust of certificates signed using SHA1. Any certificates signed after January 1 will be untrusted in some way (it varies based on the browser), certificates signed before are still accepted.

 

With McAfee Web Gateway, it will issue certificates for the sites which are SSL scanned, so the signing date will be after January 1, 2016. To avoid any issues, please ensure that you are not using SHA1 in your SSL scanning settings (use SHA256 instead). If you migrated from older versions to newer versions, this setting will not be updated automatically.

 

This is configured under Policy > Settings > Engines > SSL Client Context with CA in the digest dropdown. Be sure to configure the digest in all settings containers for "SSL Client Context with CA".

 

2016-01-04_120359-2.jpg

 

Firefox actively blocks you from the site, Chrome will display a passive warning in the address bar. Below is a screenshot of the warnings.

 

2016-01-04_120451-2.jpg  2016-01-04_120635-2.jpg

 

If the Certificate Authority used in the McAfee Web Gateway was signed using SHA1, you should consider replacing it soon. At the moment the browsers will only complain if the web server certificate is signed using SHA1. However, the same may happen eventually for CA certs signed using SHA1.

 

For the time being, adjusting the settings above should suffice in avoiding browser errors.

 

Mozilla Firefox Announcement:

https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certi ficates/

 

Google Chrome Announcement:

http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html


Microsoft Announcement:

http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforce ment-of-authenticode-code-signing-and-ti…


Best Regards,

Jon