1

I get the above complaint from chrome. I've found The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it, but this is a non-issue for me, since the certificate is SHA2.

What's the problem?

Robus
  • 141
  • 5
  • Please verify that your are actually using the latest chrome version (42). If you are on a Linux system make sure it is up-to-date, i.e. that it has the current version of the NSS library. With all these updates I cannot reproduce your problem. And make sure that you really get the original certificate, i.e. that there is no SSL interception taking place. – Steffen Ullrich May 13 '15 at 15:52
  • @SteffenUllrich Just updated, same result. Windows: http://i.imgur.com/uK74e9u.png edit: I disabled Cloudflare on this domain a couple hours ago. If you get a certificate signed by Comodo, you're getting the wrong one :( DNS takes a while. – Robus May 13 '15 at 15:56
  • I don't know if this is related, but your server sends the root-CA (StartCom Certification Authority) as the second but the intermediate CA (StartCom Class 1 Primary Intermediate Server CA) as the third. One thing is that the root-CA does not need to be send at all (will be ignored) but more important the certificates have to be added in signing order. Please fix this and see if the problem still occurs. – Steffen Ullrich May 13 '15 at 16:30
  • @SteffenUllrich Fixed - ssltest no longer complains about chain issues either. Chrome, however, still thinks the security settings are outdated. – Robus May 13 '15 at 17:19
  • I've checked with Chrome on Win7 and it does not show the problems you see. Looks like you are haunted somehow. – Steffen Ullrich May 13 '15 at 18:09
  • I've asked someone else to try, result: http://i.imgur.com/oNW24sO.png – Robus May 13 '15 at 18:18
  • Could it be that you are accessing another version of the certificate (different IP, SSL interception..)? The SHA-256 fingerprint I see for this certificate is 21 03 2F 84 C0 A6 01 38 0B FA F3 25 A0 C7 DD C4 94 3F 14 11 2F 8F A8 EC 12 19 F8 A2 F7 42 7E 6D. – Steffen Ullrich May 13 '15 at 18:28

1 Answers1

1

After some investigation, I've come across this: https://code.google.com/p/chromium/issues/detail?id=401365, which suggests chrome will throw this warning if any certificate in the chain is using SHA1 and has a validity longer than 01/01/2016.

Lo and behold:enter image description here

[edit]

Apparently this only affects people who have this certificate stored.

[edit2] This:

Chrome stores SSL certificate state per host in browser history.

So just clear browser history (Ctrl+Shift+Del), at least the following parts:

Cached images and files
Hosted app data
Content licenses

Finally resolved the issue (Source: How do I clear Chrome's SSL cache?)

Robus
  • 141
  • 5
  • This must be a certificate cached by your browser or manually imported. The intermediate CA send by the server is signed with SHA-256, has a serial number of 6497278863556543 and is valid from 2007 until 2022. Or do you have some split setup and access a non-public server with a different setup? The IP I see for this host is 37.187.98.179 – Steffen Ullrich May 13 '15 at 18:33
  • @SteffenUllrich I tried connecting with Firefox and it indeed sees a different certificate (2007 to 2022). I went through the chrome certificate store and deleted all intermediate startssl certificates. Nevertheless, I still get the same result. The IP is correct and there is only one server. To say "I'm confused" would be an understatement, considering I've asked two people to try the website. One got the same result as I, the other got a green lock. – Robus May 13 '15 at 18:44
  • Check the certificate chain with IE. Chrome uses the same certificate store as IE while Firefox uses its own. – Steffen Ullrich May 13 '15 at 18:53
  • @SteffenUllrich I've tried connecting via chrome on a newly created virtual machine: green lock. Then I tried connecting on Internet Explorer on my PC, it also recognizes the newer intermediate. Only local chrome seems to be stuck up about the old one. I suspect chrome has its own cache, considering you can find it in advanced options. – Robus May 13 '15 at 18:56
  • @SteffenUllrich I've been able to resolve the issue (see edit). Thank you for your help! – Robus May 13 '15 at 19:02