• Kaynak: kc.mcafee.com

    Technical Articles ID:   KB86362

     

    Environment

    McAfee Web Gateway (MWG) 7.x

     

    Problem

    The web browser displays a certificate warning when visiting HTTPS websites. This issue occurs if Web Gateway is using the SSL Scanner with content inspection enabled. The certificate warning message varies based on the web browser:

    Mozilla Firefox will block the website and display the warning message: The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.

     Google Chrome will allow the website, but will display the warning message: The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1.

     

    Cause

    Starting January 1, 2016 most web browsers are phasing out trust of certificates signed using SHA-1. Any certificates signed after January 1, 2016 will be untrusted in some way (it varies based on the web browser), but certificates signed before that date will still be accepted.

    Mozilla Firefox announcement: https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

    Google Chrome announcement: http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

    Microsoft announcement: http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-code-signing-and-timestamping.aspx

    Web Gateway will issue certificates for websites that are SSL scanned, so the signing date will be after January 1, 2016.

     

    Solution

    Ensure that Web Gateway does not use SHA-1 in the SSL scanning settings (use SHA-256 instead). If you migrated from older Web Gateway versions to newer Web Gateway versions, this setting will not be updated automatically.

    Log on to the Web Gateway user interface.

    Navigate to Policy, Settings, Engines, SSL Client Context with CA.

    For all of the settings containers for SSL Client Context with CA:

    From the Digest drop-down menu, select sha256.

    From the RSA server key size drop-down menu, select 2048.

    In addition, if the Certificate Authority (CA) used in Web Gateway was signed using SHA-1, you should consider replacing it soon. 

    Currently web browsers will display a warning only if the web server certificate is signed using SHA-1. 

    However, the same issue may happen eventually for CA certificates signed using SHA-1.