Welcome to WebmasterWorld Guest from 54.198.52.8

Forum Moderators: open

Message Too Old, No Replies

SHA2 Support and windows 7

Why Doesn't My SSL Show A Padlock?

     
9:41 pm on Dec 17, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


I am kind of losing my mind, so bare with me...

One of my sites is served up by a CDN.

When I go to an https page using the latest version of chrome on Win 7 pro 64-bit service pack 1 build 7061, I do not get a padlock. It says the connection uses an outdated encryption.

this happens to me on Chrome and Opera. (On FireFox and IE, I get the padlock and it says my certificate is fine.)

However, tech support from the CDN just send a screen shot from chrome on THEIR machine it is encrypted.

They said that not all versons of windows have SHA2 support "out of the box"

I get automatic updates from Microsoft.

So what am I missing here folks? I wasted several hours trying to get the SSL certificates and CDN for my site working, when after all is said and done, looks like it is a win 7 thing.

Thanks in advance.
2:37 am on Dec 18, 2015 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:14993
votes: 132


Google announced that they were sunsetting SHA1 support last year [googleonlinesecurity.blogspot.jp...] If the cert used by the CDN supports SHA1 and expires between 1 January 2016 and 31 December 2016, the content served will be treated as “secure, but with minor errors”. That's probably what your're seeing depending on the version of Chrome you're using.

The site is still secured by SHA1, but Chrome is going to start showing these warnings until your CDN updates their cert to one that does not include SHA1.

They said that not all versons of windows have SHA2 support "out of the box"

Yeah. That's called Windows XP Service Pack 2 and earlier. Windows 7 does have SHA2 baked in.
5:06 pm on Dec 18, 2015 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 2, 2003
posts: 988
votes: 31


Hi there Planet13,
I am kind of losing my mind, so bare with me...

Although I can fully sympathise with your unfortunate predicament,
I am unable to bare with you as I know that the effects of coldness
to my nether region would be absolutely intolerable. :(

birdbrain
7:41 pm on Dec 18, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


@ Bill:

The site is still secured by SHA1, but Chrome is going to start showing these warnings until your CDN updates their cert to one that does not include SHA1


Thanks for the response:

1) I was assured by the CDN tech support that they use SHA2. Are you saying that that they use BOTH SHA1 AND SHA2, and that is what is causing the error?

2) Since they emailed me a screenshot of their browser with the padlock and the certificate info expanded - and since they assured me that it was fine on their computer - does that help explain at all why it isn't working on MY computer, which is a Win 7 pro 64-bit with service pack 1?

Thansk in advance.
9:00 pm on Dec 18, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 2002
posts:753
votes: 10


The 'broken' lock is shown when either the next level Security Certificate cannot be verified OR the path to the root can't be verified. Since Windows XP there have been local aka C drive copies of the Certs to facilitate the latter. Some cleanup efforts by Anti-Virus or users may have removed some/all of the certs. Over time (you didn't state how old the PC was) the certs were updated for XP and latter OS'.

It may be an issue of a miss configured Internet Security suits on the PC blocking Cert communications. Had a PC brought in a month ago with a related affliction - all of the Internet was blocked <G>.

https://support.microsoft.com/en-us/kb/2677070 [support.microsoft.com] An automatic updater of untrusted certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This updater expands on the existing automatic root update mechanism technology that is found in Windows Vista and in Windows 7 to let certificates that are compromised or are untrusted in some way be specifically flagged as untrusted.

There are apps that can potentially see where the problem is if the above doesn't work. Also see https://www.chromium.org/Home/chromium-security/root-ca-policy [chromium.org]
12:32 am on Dec 19, 2015 (gmt 0)

Senior Member

WebmasterWorld Senior Member planet13 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:June 16, 2010
posts: 3823
votes: 29


@ Hoople:

Thanks for the tips.

I turned off Avast anti-virus / security suite and voila! the padlock is back.

However, when I turn Avast back ON, the padlock doesn't go away...

Oh well...
10:16 pm on Dec 20, 2015 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts:14993
votes: 132


1) I was assured by the CDN tech support that they use SHA2. Are you saying that that they use BOTH SHA1 AND SHA2, and that is what is causing the error?

I was referring to this [webmasterworld.com...]
Starting in early 2016 with Chrome version 48, Chrome will display a certificate error if it encounters a site with a leaf certificate that:

  • is signed with a SHA-1-based signature
  • is issued on or after January 1, 2016
  • chains to a public CA
  •