topic Re: SSL Decryption not working in chrome in General Topics

SSL Decryption not working in chrome

DaleK — Thu, 08 Jun 2017 20:35:25 GMT

Trying to configure SSL Decryption and googled this to no end.

I have an Enterprise CA, created the cert with that, I can see that the GPO's have deployed to the cert to the users.
In my testing I only have decryption turned on for one user.

Internet Explorer works fine as best I can tell it's not even noticing.

Chrome on the other hand is not amuzed. I cannot go to a single https site they all seem to give the same error NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Subject: *.facebook.com

Issuer: 192.168.15.10

Expires on: Jun 22, 2018

Current date: Jun 8, 2017

PEM encoded chain:

-----BEGIN CERTIFICATE-----
... <assuming this is the cert from the site>...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <cert from the PA>...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... <cert from the CA>...
-----END CERTIFICATE-----

Banging my head against the wall here to trying to figure out what is missing

Re: SSL Decryption not working in chrome

BPry — Thu, 08 Jun 2017 20:57:52 GMT

It sounds like your trying to use a SHA-1 cert. IE isn't going to explain but pretty much everything else at this point is.

Re: SSL Decryption not working in chrome

Remo — Thu, 08 Jun 2017 21:01:38 GMT

The CA cert, which you imported to the firewall, could it possibly be that this is an SHA1 certificate?

--> you need a cert with SHA256 signature algorithm

Edit: too late ...

@BPry 😉

Re: SSL Decryption not working in chrome

DaleK — Thu, 08 Jun 2017 21:32:34 GMT

Ok so i double checked when i made the request on the PA i left it with the defaults that were not sha1 i think it was 2048... So is it something on the CA and the template it used that would have done that?

Re: SSL Decryption not working in chrome

Remo — Thu, 08 Jun 2017 21:51:59 GMT

RSA2048 is the key algorithm used for the private/public key pair. The signature is another dropdown field in the PA WebUI. And because SHA1 is no longer a secure algorithm because it was sucessfully cracked about 2 months ago chrome does not let you open this website.

Theoretically this algorithm was already known unsecure many years ago ... but there was no (known) successful attack till this year

Re: SSL Decryption not working in chrome

DaleK — Thu, 08 Jun 2017 22:13:31 GMT

So I just tried another request and it still only gave me a sha1

could my CA just be retarted somehow?

Re: SSL Decryption not working in chrome

DaleK — Thu, 08 Jun 2017 22:26:12 GMT

NM found it... yea never migrated my CA off sha1.... yay more fun...

Thank you all for the help

Re: SSL Decryption not working in chrome

BPry — Fri, 09 Jun 2017 12:37:14 GMT

@DaleK,

Just FYI, we found that it was easier to spin up a specific SHA2 CA and keep the existing SHA1 CA around at the same time. If you issue certificates to your machines and/or users and can't easily migrate everything over to a new cert easily, that might be an 'effective' solution until everything that users a cert for authentication is gradually migrated.