Outdated SHA algorithm on chrome



  • I am getting a red and crossed out https when visiting NodeBB or the NodeBB Community. Here are some screenshots:

    NodeBB SSL Error Main Domain.png

    NodeBB SSL Error Main Domain Dropdown.png

    Google Chrome's explanation on why it is displaying this error is pretty spare - actually there is zero explanation. So I am not very sure if that is the real cause, but my guess is that this is due to the SHA1 signature of your certificate, I tried searching for a solution but there is none except requesting a new certificate at your CA.

    Some helping links:

    And the same links as comparison for (my) working domain:



  • Yup, seems like you should update nginx' cipher set a bit 😉



  • I don't think this is caused by NGINX' cipher suite as the SHA1 signature is kind of "embedded" in the certificate. But if it is possible to fix this in NGINX itself, here is my configuration for SSL, maybe compare it with your configuration.

    ##
    # SSL
    ##
    
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache         shared:SSL:10m;
    ssl_session_timeout       10m;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
    ssl_buffer_size           1400;
    

    Oh and FYI: You'll drop support for all operations systems <Windows XP with:

    ssl_ciphers 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
    

    If you don't want that you should use:

    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
    

    Also, just out of interest: Is that occurring on your machine too @Moritz-Friedrich?


  • GNU/Linux Admin

    Hey guys, I just noticed this as well.

    I recently updated our certs, but not sure if that's the reason, of whether it's just a new check from Chrome.

    either way, gh#3054


Log in to reply
 

Suggested Topics

| |