7

We're using an AWS ELB to do SSL termination and are having an issue where Chrome is displaying "https" in red with a strikethrough.

It says "The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it." but it doesn't explicitly call out what setting it doesn't like.

How can I find out what Chrome is having a problem with so that our users will get a green checkmark?

An example URL producing the error is here: https://aws.hatchlings.com/error/

Chrome Error

I ran our site through SSL Labs and it gave us an "A" Grade:

SSL Labs Report

Brad Dwyer
  • 263
  • 3
  • 8
  • As for the audit error, see [this](http://security.stackexchange.com/questions/52834/what-exactly-does-it-mean-when-chrome-reports-a-certificate-does-not-have-publi) answer, it explains it pretty well. I'm not sure about the outdated security settings message, though. – Oldskool Apr 17 '15 at 14:53
  • Possibly relevant: are you using the latest ELB Security Policy? http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-policy-table.html – Michael - sqlbot Apr 17 '15 at 23:43

3 Answers3

16

Your certificate is using the outdated SHA-1 algorithm, which because of security risks Google Chrome now warns about.

You'll need to generate a new CSR and get a replacement certificate from your SSL vendor.

https://github.com/konklone/shaaaaaaaaaaaaa/issues/24#issuecomment-54021941

For anyone with problems with RapidSSL from any of their resellers or any other GeoTrust brand certificates:

  • Login to GeoTrust products using your FQDN and the email used to request the certificate
  • Follow the login link sent by email
  • Click reissue
  • Provide a new CSR and choose SHA-256 from the drop-down

This portal is also where you revoke your old certificate.

While you get an A on SSL Labs currently, the detailed report tells you this is a problem in the orange section:

enter image description here

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
4

For people who encounters this issue even with SHA2 and a very good rating on SSL LAB (+ NO warning): please check your libnss version. I'm currently using Ubuntu 13.10 here and libnss is version 3.15.x.

=> It seems that versions prior to 3.17, libnss check for the weakest security chain instead of the strongest. Which means that, if you have a SHA1 certificate in the chain, Chrome will display the warning anyway.

Solution: Update libnss to a newer version.

VinceOPS
  • 141
  • 3
  • Thank you! I'm using Ubuntu 14.04 and hadn't done an upgrade for a few months, and kept getting this error. I was actually on a 3.17 version but `sudo apt-get install libnss3` got me up to 3.19, which fixed the bug. – Giles Thomas Aug 04 '15 at 17:04
  • Glad to see that it helped people ;). I spent half a day on it! – VinceOPS Aug 04 '15 at 17:05
  • I blogged a bit more detail about what (I think) is going on -- with a shout-out to you, naturally :-) http://www.gilesthomas.com/2015/08/sha-1-sunset-in-chromium-and-libnss3/ – Giles Thomas Aug 06 '15 at 17:01
-1

I am having similar experiences with my website and i initially thought it was the certificate but the certificate's algorithm is in SHA-2. I finally discovered that the problem wasn't from Chrome but my avast mail shield blocking the certificate.

Joseph
  • 1