SHA2 Support and windows 7

Forum Moderators: open

Message Too Old, No Replies

SHA2 Support and windows 7

Why Doesn't My SSL Show A Padlock?

Planet13

9:41 pm on Dec 17, 2015 (gmt 0)

I am kind of losing my mind, so bare with me...

One of my sites is served up by a CDN.

When I go to an https page using the latest version of chrome on Win 7 pro 64-bit service pack 1 build 7061, I do not get a padlock. It says the connection uses an outdated encryption.

this happens to me on Chrome and Opera. (On FireFox and IE, I get the padlock and it says my certificate is fine.)

However, tech support from the CDN just send a screen shot from chrome on THEIR machine it is encrypted.

They said that not all versons of windows have SHA2 support "out of the box"

I get automatic updates from Microsoft.

So what am I missing here folks? I wasted several hours trying to get the SSL certificates and CDN for my site working, when after all is said and done, looks like it is a win 7 thing.

Thanks in advance.

bill

2:37 am on Dec 18, 2015 (gmt 0)

Google announced that they were sunsetting SHA1 support last year [googleonlinesecurity.blogspot.jp...] If the cert used by the CDN supports SHA1 and expires between 1 January 2016 and 31 December 2016, the content served will be treated as “secure, but with minor errors”. That's probably what your're seeing depending on the version of Chrome you're using.

The site is still secured by SHA1, but Chrome is going to start showing these warnings until your CDN updates their cert to one that does not include SHA1.

They said that not all versons of windows have SHA2 support "out of the box"

Yeah. That's called Windows XP Service Pack 2 and earlier. Windows 7 does have SHA2 baked in.

birdbrain

5:06 pm on Dec 18, 2015 (gmt 0)

Hi there Planet13,

I am kind of losing my mind, so bare with me...

Although I can fully sympathise with your unfortunate predicament,
I am unable to bare with you as I know that the effects of coldness
to my nether region would be absolutely intolerable. :(

birdbrain

Planet13

7:41 pm on Dec 18, 2015 (gmt 0)

@ Bill:

The site is still secured by SHA1, but Chrome is going to start showing these warnings until your CDN updates their cert to one that does not include SHA1

Thanks for the response:

1) I was assured by the CDN tech support that they use SHA2. Are you saying that that they use BOTH SHA1 AND SHA2, and that is what is causing the error?

2) Since they emailed me a screenshot of their browser with the padlock and the certificate info expanded - and since they assured me that it was fine on their computer - does that help explain at all why it isn't working on MY computer, which is a Win 7 pro 64-bit with service pack 1?

Thansk in advance.

Hoople

9:00 pm on Dec 18, 2015 (gmt 0)

The 'broken' lock is shown when either the next level Security Certificate cannot be verified OR the path to the root can't be verified. Since Windows XP there have been local aka C drive copies of the Certs to facilitate the latter. Some cleanup efforts by Anti-Virus or users may have removed some/all of the certs. Over time (you didn't state how old the PC was) the certs were updated for XP and latter OS'.

It may be an issue of a miss configured Internet Security suits on the PC blocking Cert communications. Had a PC brought in a month ago with a related affliction - all of the Internet was blocked <G>.

https://support.microsoft.com/en-us/kb/2677070 [support.microsoft.com] An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted.

There are apps that can potentially see where the problem is if the above doesn't work. Also see https://www.chromium.org/Home/chromium-security/root-ca-policy [chromium.org]

Planet13

12:32 am on Dec 19, 2015 (gmt 0)

@ Hoople:

Thanks for the tips.

I turned off Avast anti-virus / security suite and voila! the padlock is back.

However, when I turn Avast back ON, the padlock doesn't go away...

Oh well...

bill

10:16 pm on Dec 20, 2015 (gmt 0)

1) I was assured by the CDN tech support that they use SHA2. Are you saying that that they use BOTH SHA1 AND SHA2, and that is what is causing the error?

I was referring to this [webmasterworld.com...]

Starting in early 2016 with Chrome version 48, Chrome will display a certificate error if it encounters a site with a leaf certificate that:

is signed with a SHA-1-based signature
is issued on or after January 1, 2016
chains to a public CA