php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69888 Wildcard php.net SSL certificate uses deprecated SHA-1 algorithm
Submitted: 2015-06-20 07:01 UTC Modified: 2015-09-28 19:49 UTC
Votes:3
Avg. Score:3.7 ± 1.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: krinklemail at gmail dot com Assigned:
Status: Open Package: Website problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-06-20 07:01 UTC] krinklemail at gmail dot com
Description:
------------
Starting in 2014, Chrome is sunsetting tolerance of SSL certificates signed using deprecated signature algorithms based on SHA-1.


As of Chrome 42 stable, it actively displays a "grey padlock with orange warning symbol" icon instead of the trusted green lock.

In the future (2016/2017), the red splash page for invalid certificates will be used – which will stop most users from accessing the site.


Clicking on the icon shows:
> php.net
> This site uses a weak security configuration (SHA-1 signatures), so your connection may not be private.
>
> [..]
> 
> The certificate chain for this website contains at least one certificate that was signed using a deprecated signature algorithm based on SHA-1.

https://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
https://blog.filippo.io/the-unofficial-chrome-sha1-faq/


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-05 21:15 UTC] royanee at gmail dot com
Not only that, the TLS settings could use a few updates:
https://www.ssllabs.com/ssltest/analyze.html?d=bugs.php.net&hideResults=on

 * No support for TLS 1.2, which is the only secure protocol version.
 * This server supports weak Diffie-Hellman (DH) key exchange parameters.
 * Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2.
 * The server supports only older protocols, but not the current best TLS 1.2.
 * This server accepts the RC4 cipher, which is weak.
 * The server does not support Forward Secrecy with the reference browsers.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Nov 17 04:01:31 2019 UTC