cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

FYI:  If you have any environments where a web gateway is middling with a certificate whose signature algorithm is Sha1RSA  .... if your experience matches mine this morning, suddenly Firefox 43 is no longer putting up with our shenanigans.   IE and Chrome are still fine with it, but something changed over the weekend with Firefox even though Firefox itself hadn't been updated.

Anyone else seeing this?  And if not, what is the Signature Algorithm for your resulting middled SSL certs?

For what it's worth, the workaround in web gateway was simple enough - to bypass SSL inspection for a Firefox user agent string of 43 or higher, and the correct fix is to get a new sub-CA certificate issued with more modern crypto.     A new SSL cert for middling is a high risk policy change of course, so it'll involve more testing.

firefox_is_no_longer_putting_up_with_your_shenanigans.PNG

Root cause appears to be that the new year happened:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-alg...

"However, there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017. In particular, CAs should not be issuing new SHA-1 certificates for SSL and Code Signing, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates. If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before January 2017. More information is available in Mozilla’s list of Potentially Problematic CA Practices."

0 Kudos
7 Replies
eelsasser
Level 15

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

I only have this problem if the SSL Scanning with CA setting is set for SHA1/1024.

You should be able to change the setting to SHA256/2048 and FF 43 doesn't complain.

Capture.png

Regis
Level 12

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

So am I wrong to conclude that this has anything to do with our subCA cert on the gateway, but more to do with that Digest and key size setting in policy?

If so, I'd be delighted to be wrong and will test these settings tonight!

0 Kudos
pcoates
Level 10

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

Hi Regis,

The CA won't need to be modified, the SHA version of a trusted Root CA doesn't matter, because it is the top level authority. Anything in your "Trusted Root CA" store can be SHA1, the hash isn't used for anything other than identification.

You definitely just have to make sure than the certificates being generated by the Web Gateway CA are set to SHA256.

If you are using a subCA cert from an internal CA (that you would have had to implement via the CLI) I could see potential issues. If it's in the Trusted Root CA store, it will be ignored, if it's not, the browser might handle it like an intermediary SHA1 which the browser will probably complain about.

0 Kudos
Regis
Level 12

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs


pcoates wrote:



Hi Regis,



The CA won't need to be modified, the SHA version of a trusted Root CA doesn't matter, because it is the top level authority. Anything in your "Trusted Root CA" store can be SHA1, the hash isn't used for anything other than identification.



You definitely just have to make sure than the certificates being generated by the Web Gateway CA are set to SHA256.



If you are using a subCA cert from an internal CA (that you would have had to implement via the CLI) I could see potential issues. If it's in the Trusted Root CA store, it will be ignored, if it's not, the browser might handle it like an intermediary SHA1 which the browser will probably complain about.


Cool.  Thanks for this reassurance.   The sub-CA being used by this environment (which is a sub CA issued by the Microsoft certificate authority internally and trusted by all domain machines as a result) was actually imported through the GUI several revs back.  It's been working until Jan 1 happened.  I'm sure the default of sha1 from an older rev is why this environment is still there despite the newer defaults.   We'll see what occurs when I test things tonight.    Never a dull moment!

0 Kudos
McAfee Employee

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

That's all correct! The CA shouldnt need to be touched (for now).

SNS is in process, blog post was created ()

I'm pretty sure an SNS went out about it awhile back regarding the 7.5.0 memory upgrade (Sept 2014ish), but I did create a blog post and added a note to the upgrade guide to the blog post:

Best Regards,

Jon

0 Kudos
McAfee Employee

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

We'll get an SNS out about it!

pcoates
Level 10

Re: FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

Also, the default configuration for newer versions (I believe) should be SHA256 and 2048bit, however, if you've upgraded from older versions or modified it at some point you may have it set to SHA1.

An SNS would be much appreciated Jon, I usually try and send out a communication to my MWG clients about these types of issues as well, but an SNS is definitely preferred.

Off Topic, was there ever an SNS about the recommended RAM upgrade for version 7.6 for B revision appliances and older (and virtual resource increases)? I notified my clients manually after I saw the KB article. McAfee KnowledgeBase - Web Gateway 7.5.0 recommended memory (RAM) upgrade

Cheers,

Pete