The ERR_CERT_WEAK_SIGNATURE_ALGORITHM error occurs when the website owner uses the SHA-1 hashing algorithm. In 2017, two decades after it was first released, the SHA-1 was proven insecure by Google and some Dutch technologists. Since it had a 160-bit signature key, it posed numerous security threats, which those experts demonstrated.
I have to use a service that uses self-signed certificate (from Ubuntu). I have added the company's CA to the trusted list (Ubuntu). After that "self signed certificate in chain" error is gone but now I get "CA certificate too weak" error. E.g.
NET::ERR CERT WEAK SIGNATURE ALGORITHM error in Google Chrome
Download: https://ssurll.com/2vJzm4
1. The signature algorithm should be sha256RSA based on best practices, but he could also be referring to the ciphers. This link can help explain determine what ciphers to use - _Side_TLS#Modern_compatibility Opens a new window 2. The SAN field should always contain the FQDN of the Server or Service. Creating a template on their MS certificate authority to include SANS -us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc... Opens a new window
If you notice the error message it says NET:ERR_CERT_WEAK_SIGNATURE_ALGORITHM. This is a clear indicator that we are dealing the use of SHA1 algorithm used to sign certificates. If you click on the text that says WEAK_SIGNATURE you will get a dump of the certificate chain. You can then copy paste that into a file and then run openssl x509 -in err.pem -inform pem -text to print out the cert. When we did this we found that in each failure case atleast one of the certificates in the chain has the following line Signature Algorithm: sha1WithRSAEncryption
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.
The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
We are making this change because SSL certificates signed with the SHA1 algorithm have been known for some time to contain security weaknesses that could lead to the unintentional disclosure of sensitive information if compromised. An industry-wide effort (led by Google, Microsoft, and others) is forcing the timeframe for sun-setting the use of this older technology. 2ff7e9595c
ความคิดเห็น