Mailing List Archive

Is the CA cert signed with SHA-1? If so, you can try to check if the CA has
a cross-signed CA cert with SHA2 you can use for the customer's current
certificate chain or just tell your customer to reissue the cert with a
full SHA2 chain.
Best Regards
/P
--
--


On Thu, 12 Oct 2023 at 04:27, Craig H Silva (Cenitex)
<Craig.Silva@cenitex.vic.gov.au.invalid> wrote:

>
> This is probably not the most appropriate mail list to ask this question.
>
> Basically we have apache 2.4.3 on a solaris 10 host running openssl
> 1.0.2zf.
>
> This was OK up until the 117 release of Chrome, which now rejects sha1.
>
> Funny thing is that one vhost with the same ssl config is ok, whilst one
> vhost is failing. From all that I can tell, the only difference is the
> certificates - the CA cert is different.
>
> I'm the unix admin (typically I don't do the httpd config - that's our
> customer), but the customer wants to make it our issue. Of course this is
> the customer that has resisted upgrading the OS.
>
>
> There is one available patch for openssl from Oracle (151912-22 - openssl
> 1.02.zf) but I can't get any info at this point on whether that might
> address the issue.
>
>
> Its only Chrome that is failing at the moment, but interested on any
> thoughts, ideas from this list as to whether there is any work around that
> could be attempted.
>
>
>
> <http://cenitex.vic.gov.au/>
>
>
>
> <https://www.linkedin.com/company/cenitex/>
> <https://twitter.com/cenitex>
> <https://www.facebook.com/cenitex.vic.gov.au/>
>
> *Craig Silva *| Specialist Engineer – Unix & Storage Services
>
> Level 18, 80 Collins Street, Melbourne 3000
>
> (03) 9063 5126
>
> cenitex.vic.gov.au
>
>
>
>
>
>
>
> Cenitex acknowledges the Traditional Owners and custodians of the land and
> we pay our respects to their Elders, past, present and emerging. We are an
> inclusive workplace that embraces diversity in all its forms.
>
>
>
>
> ------------------------------
> Notice:
>
> This email and any attachments may contain information that is personal,
> confidential, legally privileged and/or copyright. No part of it should be
> reproduced, adapted or communicated without the prior written consent of
> the
> copyright owner.
>
> It is the responsibility of the recipient to check for and remove viruses.
>
> If you have received this email in error, please notify the sender by
> return
> email, delete it from your system and destroy any copies. You are not
> authorised
> to use, communicate or rely on the information contained in this email.
>
> Please consider the environment before printing this email.
>

Just as an update - it appears that there was a vhost config that went unnoticed - this from the guy who found it:

"We noticed with SSLLabs that there was 2 SSL certificates getting pulled when testing against the xxx.xxx.xxx.domain

Looking against the config being included in the Apache when started we found a vhost file which had shared the same IP listener. This was a site migrated from the platform under a different domain (yyy.xxx.xxx.domain), so the SSL attached to this vhost was expired (possibly the SHA1) but getting considered as part of the TLS negotiation alongside the existing certificate for xxx.xxx.xxx.domain (which was SHA2)."

________________________________
From: Pedro Coelho Silva <coelhop24@gmail.com>
Sent: Friday, October 13, 2023 5:42 AM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject: Re: [users@httpd] Peer digest using sha1 on TLS connection - Chrome fails

CAUTION: Cenitex security team advise that this email did not originate from a source within the Australian State or Federal Government. Be cautious when responding and/or opening any weblinks or attachments contained within this email.

Is the CA cert signed with SHA-1? If so, you can try to check if the CA has a cross-signed CA cert with SHA2 you can use for the customer's current certificate chain or just tell your customer to reissue the cert with a full SHA2 chain.
Best Regards
/P
--
--


On Thu, 12 Oct 2023 at 04:27, Craig H Silva (Cenitex) <Craig.Silva@cenitex.vic.gov.au.invalid> wrote:

This is probably not the most appropriate mail list to ask this question.

Basically we have apache 2.4.3 on a solaris 10 host running openssl 1.0.2zf.

This was OK up until the 117 release of Chrome, which now rejects sha1.

Funny thing is that one vhost with the same ssl config is ok, whilst one vhost is failing. From all that I can tell, the only difference is the certificates - the CA cert is different.

I'm the unix admin (typically I don't do the httpd config - that's our customer), but the customer wants to make it our issue. Of course this is the customer that has resisted upgrading the OS.


There is one available patch for openssl from Oracle (151912-22 - openssl 1.02.zf) but I can't get any info at this point on whether that might address the issue.


Its only Chrome that is failing at the moment, but interested on any thoughts, ideas from this list as to whether there is any work around that could be attempted.



[cid:18b2531e1ffefe250631]<http://cenitex.vic.gov.au/>



[cid:18b2531e1ff4c6ea5362] <https://urldefense.com/v3/__https://www.linkedin.com/company/cenitex/__;!!C5rN6bSF!F6__xQffSheMynPYPvpxy-Yw-qbRUIuQ8uAPYuhe3htLleEL2gqsOHppphzNH60VXNUMgW2599q9HWyLAPOze2kJZi8ioA$> [cid:18b2531e1ff448e3d473] <https://urldefense.com/v3/__https://twitter.com/cenitex__;!!C5rN6bSF!F6__xQffSheMynPYPvpxy-Yw-qbRUIuQ8uAPYuhe3htLleEL2gqsOHppphzNH60VXNUMgW2599q9HWyLAPOze2mtQMtMNQ$> [cid:18b2531e1ff347405d44] <https://urldefense.com/v3/__https://www.facebook.com/cenitex.vic.gov.au/__;!!C5rN6bSF!F6__xQffSheMynPYPvpxy-Yw-qbRUIuQ8uAPYuhe3htLleEL2gqsOHppphzNH60VXNUMgW2599q9HWyLAPOze2l6uJLCGg$>

Craig Silva | Specialist Engineer ? Unix & Storage Services

Level 18, 80 Collins Street, Melbourne 3000

(03) 9063 5126

cenitex.vic.gov.au<https://cenitex.vic.gov.au/>





[cid:18b2531e1ff9482eb85]



Cenitex acknowledges the Traditional Owners and custodians of the land and we pay our respects to their Elders, past, present and emerging. We are an inclusive workplace that embraces diversity in all its forms.





________________________________
Notice:

This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.

It is the responsibility of the recipient to check for and remove viruses.

If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.

Please consider the environment before printing this email.

----------------------------------------------------------------------
Notice:

This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.

It is the responsibility of the recipient to check for and remove viruses.

If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.

Please consider the environment before printing this email.