/chrome/community?hl=en
/chrome/community?hl=en
3/25/17
Original Poster
Vivek Rajagopalan

Chrome 57 blocking all Google sites due to SHA1 policy

Hello support,

Chrome 57 - preventing all Google sites from opening due to sha1 certificate issue.

On my machine running Chrome 57,  Linux Ubuntu 14.04 64bits when I open any Google site  - the cert chain used is the following.  Detected using a packet analytics tool.


/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
  C=US, O=Google Inc, CN=Google Internet Authority G2
     sha256WithRSAEncryption
/C=US/O=Google Inc/CN=Google Internet Authority G2
  C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
     sha256WithRSAEncryption
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
  C=US, O=Equifax, OU=Equifax Secure Certificate Authority
     sha1WithRSAEncryption

You can see that the last cert in the chain Issued by Equifax to GeoTrust uses sha1, I suppose that is the reason for the block.


on a colleagues machine GeoTrust is treated as the root and not Equifax and hence he is able to go online.



I also tried the following.

1. Tried setting EnableSha1ForLocalAnchors = true and restarting the Chrome processes and machine but no luck.

2. Tried importing the GeoTrust as the root CA ; failed because it already exists.

Any ideas how I can resolve this.

Regards,

Vivek Rajagopal

Community content may not be verified or up-to-date. Learn more.
Expert Reply
Was this reply helpful?
How can we improve it?
All Replies (3)
3/25/17
Expert - Gold
sarjoor
Hi Vivek,

Following are some issues for you to review:
  1. The *.google.com certificate is rooted by GeoTrust Global CA.  If you show otherwise, perhaps you have some bad certs cached?  Try clear all your cert caches.
  2. If visiting secure HTTPS websites on Linux Chrome produces error ERR_CERT_WEAK_SIGNATURE_ALGORITHM, please check if the fix that works on Debian also solves the problem for you:  https://productforums.google.com/d/msg/chrome/oG8tEdIfYuA/aH1s9STYBgAJ
    # apt-get install libnss3-1d

3/27/17
Original Poster
Vivek Rajagopalan
SOLVED :

In Chrome57 if Google sites arent working any more due to SHA1 signing block


1.  Open Settings -> Advanced  -> HTTS/SSL -> Manage Certificates
2, Go to Authorities Tab 
3. Scroll down the list and find "Equifax Secure CA" - then press "Edit.."
4. Uncheck all the boxes (Basically Dont Trust this CA )
5. Close everything 

Now it works !

Thanks 
3/27/17
Original Poster
Vivek Rajagopalan
Thanks for the help. 

I tried those things. Untrusting Equifax did the trick for me. See my update.

Thanks again
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.