The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it.
Description
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
certs: wikitech.wm.org certificate SHA1 to SHA2 | operations/puppet | production | +26 -28 |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | RobH | T73156 Replace SHA1 certificates with SHA256 | |||
Resolved | RobH | T92709 wikitech.wikimedia.org SSL certificate considered "outdated security" in Chrome |
Event Timeline
this should be T73156 (SHA1 needs to be replaced with a SHA256 cert)
Chrome 39 will warn users if SHA1 certificates are used and expire after January 1, 2017.
Chrome 40 will warn users if SHA1 certificates are used and expire after June 1, 2016.
Chrome 41 will warn users if SHA1 certificates are used and expire after January 1, 2016.
Indeed. Chrome 43 improved the SSL dialog with details about the warning. https://wikitech.wikimedia.org/ now shows in Chrome 43.0.2343.5 canary the following:
.. which confirms it is SHA1 and not something else.
Change 214666 had a related patch set uploaded (by RobH):
wikitech.wikimeida.org certificate sha1 to sha256
once the above patchset is merged live and wikitech is using the sha256, please assign this task to me for the revocation of the sha1 certificate. (The sha1 cert will be overwritten on the hosts).
amended to the change (we had another leading whitespace that would break it, fixed that),
ran puppet on wikitech and let it recreate cert and chained file.
Signature algorithm is now SHA256withRSA
grade A on https://www.ssllabs.com/ssltest/analyze.html?d=wikitech.wikimedia.org
the warnings in Chrome should be gone too