7 Replies Latest reply on Jan 4, 2016 1:05 PM by Jon Scholten

    FYI: SSL middling issue with Firefox 43 just reared its head for certs with SHA1 sigs

    Regis

      FYI:  If you have any environments where a web gateway is middling with a certificate whose signature algorithm is Sha1RSA  .... if your experience matches mine this morning, suddenly Firefox 43 is no longer putting up with our shenanigans.   IE and Chrome are still fine with it, but something changed over the weekend with Firefox even though Firefox itself hadn't been updated.

       

      Anyone else seeing this?  And if not, what is the Signature Algorithm for your resulting middled SSL certs?

       

      For what it's worth, the workaround in web gateway was simple enough - to bypass SSL inspection for a Firefox user agent string of 43 or higher, and the correct fix is to get a new sub-CA certificate issued with more modern crypto.     A new SSL cert for middling is a high risk policy change of course, so it'll involve more testing.

       

       

      firefox_is_no_longer_putting_up_with_your_shenanigans.PNG

       

       

      Root cause appears to be that the new year happened:

      https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1 -based-signature-algorithms/

       

      "However, there are still many Web sites that are using SSL certificates with SHA-1 based signatures, so we agree with the positions of Microsoft and Google that SHA-1 certificates should not be issued after January 1, 2016, or trusted after January 1, 2017. In particular, CAs should not be issuing new SHA-1 certificates for SSL and Code Signing, and should be migrating their customers off of SHA-1 intermediate and end-entity certificates. If a CA still needs to issue SHA-1 certificates for compatibility reasons, then those SHA-1 certificates should expire before January 2017. More information is available in Mozilla’s list of Potentially Problematic CA Practices."