php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #69888 Wildcard php.net SSL certificate uses deprecated SHA-1 algorithm
Submitted: 2015-06-20 07:01 UTC Modified: 2020-05-05 11:49 UTC
Votes:3
Avg. Score:3.7 ± 1.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: krinklemail at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Website problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
 [2015-06-20 07:01 UTC] krinklemail at gmail dot com 
Description:
------------
Starting in 2014, Chrome is sunsetting tolerance of SSL certificates signed using deprecated signature algorithms based on SHA-1.


As of Chrome 42 stable, it actively displays a "grey padlock with orange warning symbol" icon instead of the trusted green lock.

In the future (2016/2017), the red splash page for invalid certificates will be used – which will stop most users from accessing the site.


Clicking on the icon shows:
> php.net
> This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.
>
> [..]
> 
> The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.

https://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
https://blog.filippo.io/the-unofficial-chrome-sha1-faq/

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-05 21:15 UTC] royanee at gmail dot com 
Not only that, the TLS settings could use a few updates:
https://www.ssllabs.com/ssltest/analyze.html?d=bugs.php.net&hideResults=on

 * No support for TLS 1.2, which is the only secure protocol version.
 * This server supports weak Diffie-Hellman (DH) key exchange parameters.
 * Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
 * The server supports only older protocols, but not the current best TLS 1.2.
 * This server accepts the RC4 cipher, which is weak.
 * The server does not support Forward Secrecy with the reference browsers.
 [2020-05-05 11:49 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-05-05 11:49 UTC] cmb@php.net 
The certificate issue has been resolved in the meantime.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Mar 22 00:01:32 2025 UTC