Opened on 09/10/2014 at 01:59:47 PM

Last modified on 10/26/2015 at 11:13:52 AM

#1354 new change

Don't use SHA-1 in web server certificate chains

Reported by: greiner Assignee:
Priority: Unknown Milestone:
Module: Infrastructure Keywords: eyeo
Cc: matze Blocked By:
Blocking: Platform: Unknown
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description (last modified by greiner)


Starting with Chrome 41 SHA-1 is considered insecure by Google who has deprecated SHA-1 in Chrome and now considers certificates that use SHA-1 "secure, but with minor errors". If we will create a new SHA-1 certificate next year this would degrade to "affirmatively insecure".

What to change

Replace the existing certificates in the certificate chain with ones that use SHA-2 for,,, and any other domain that's not covered by the certificate.

Attachments (0)

Change History (4)

comment:1 Changed on 09/11/2014 at 02:45:50 PM by greiner

  • Description modified (diff)

comment:2 Changed on 05/11/2015 at 03:33:41 PM by greiner

  • Description modified (diff)
  • Summary changed from Don't use SHA-1 for certificate to Don't use SHA-1 in web server certificate chains

comment:3 Changed on 05/11/2015 at 03:58:39 PM by greiner

  • Cc matze added
  • Description modified (diff)
  • Keywords eyeo added

I just noticed that this issue also affects which makes our company look a bit untrustworthy to regular people who visit our homepage.

comment:4 Changed on 10/26/2015 at 11:13:52 AM by greiner

  • Tester set to Unknown

Mozilla published and update to its roadmap for phasing out SHA-1 certificates. Any such certificates that have "valid before" date be after 2016-01-01 or "valid after" date be after 2017-01-01 (or even 2016-07-01) will be considered "untrusted".

Add Comment

Modify Ticket

Change Properties
as new .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from (none).
Next status will be 'reviewing'.
Note: See TracTickets for help on using tickets.