google-chrome – 网站使用SHA-2,但Chrome仍然警告弱SHA-1

2023年9月15日 331次阅读

我有多个使用SSL保护的网站.全部来自同一个提供商.在一个域名Chrome说:

This site uses a weak security configuration (SHA-1 signatures), so
your connection may not be private.

我用ssllabs.com测试了域名,我得到了A.还测试了shaaaaaaaaaaaaa.com,它说,我的域名有一个可验证的证书链,用SHA-2签名.

以下是我在Apache2中的SSL设置:

SSLEngine on
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLInsecureRenegotiation off
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLCertificateFile /etc/ssl/certs/xxxcert.cert
SSLCertificateKeyFile /etc/ssl/private/xxxkey.key
SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem

我的error.log中没有任何错误.有人可以帮助我,我应该在哪里继续调试?

最佳答案 问题可能是链中的证书向上使用SHA1,而您自己的证书使用SHA2.我的建议是看看你是否能找到使用SHA2的链文件的更新版本.

鉴于Google announced this in September 2014,你会认为任何有信誉的证书颁发机构现在都会提供安全的链文件.

您可以在此处找到有关此特定问题的更多信息:Why Chrome Thinks your SHA-2 Certificate Chain is “Affirmatively Insecure”

有关Google为何落入SHA1的更多信息,请访问:Why Google is Hurrying the Web to Kill SHA-1.

点赞