rsleevi@ - Ping! This issue marked as RB-Beta, could you please take look in to it.

Yes, I'm working on it. But aren't we just at the very beginning of the cycle?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a6bdfc7c128e0e51b3717c52c113d8dcff30bcb9

commit a6bdfc7c128e0e51b3717c52c113d8dcff30bcb9
Author: rsleevi <rsleevi@chromium.org>
Date: Tue Nov 08 18:58:47 2016

Distrust publicly trusted SHA-1 certs

Reject all publicly trusted SHA-1 certificates, as announced
September 2014 at
https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
and
https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

To avoid too much disruption, enterprise SHA-1
is still allowed for M56; in M57, it will be
disabled unless the EnableSha1ForLocalAnchors policy is
set, as described at
https://www.chromium.org/Home/chromium-security/education/tls/sha-1

As with other TLS deprecations, an emergency 'undeprecate'
switch is kept around in the event of unexpected breakage,
to allow rapid reverting to the previous behaviour.

BUG= 653691 

Review-Url: https://codereview.chromium.org/2483783003
Cr-Commit-Position: refs/heads/master@{#430674}

[modify] https://crrev.com/a6bdfc7c128e0e51b3717c52c113d8dcff30bcb9/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/a6bdfc7c128e0e51b3717c52c113d8dcff30bcb9/net/cert/cert_verify_proc.h
[modify] https://crrev.com/a6bdfc7c128e0e51b3717c52c113d8dcff30bcb9/net/cert/cert_verify_proc_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/72d496d755369eb7f930fccb2389381425f316f6

commit 72d496d755369eb7f930fccb2389381425f316f6
Author: scheib <scheib@chromium.org>
Date: Wed Nov 09 00:35:28 2016

Revert of Distrust publicly trusted SHA-1 certs (patchset #1 id:1 of https://codereview.chromium.org/2483783003/ )

Reason for revert:
CertVerifyProcTest.RejectsPublicSHA1IntermediatesUnlessAllowed failing in net_unittests on Windows-10

Findit helped narrow:
https://findit-for-me.appspot.com/waterfall/build-failure?url=https://build.chromium.org/p/chromium.win/builders/Win10%20Tests%20x64/builds/5825

Reliable failure:
https://chromium-swarm.appspot.com/user/task/325ecf51e2458510

"""
[ RUN      ] CertVerifyProcTest.RejectsPublicSHA1IntermediatesUnlessAllowed

c:\b\c\b\win\src\net\cert\cert_verify_proc_unittest.cc(1625): error: Value of: error

Expected: net::OK

  Actual: -213, net::ERR_CERT_VALIDITY_TOO_LONG

[  FAILED  ] CertVerifyProcTest.RejectsPublicSHA1IntermediatesUnlessAllowed (5 ms)
"""

Original issue's description:
> Distrust publicly trusted SHA-1 certs
>
> Reject all publicly trusted SHA-1 certificates, as announced
> September 2014 at
> https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
> and
> https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html
>
> To avoid too much disruption, enterprise SHA-1
> is still allowed for M56; in M57, it will be
> disabled unless the EnableSha1ForLocalAnchors policy is
> set, as described at
> https://www.chromium.org/Home/chromium-security/education/tls/sha-1
>
> As with other TLS deprecations, an emergency 'undeprecate'
> switch is kept around in the event of unexpected breakage,
> to allow rapid reverting to the previous behaviour.
>
> BUG= 653691 
>
> Committed: https://crrev.com/a6bdfc7c128e0e51b3717c52c113d8dcff30bcb9
> Cr-Commit-Position: refs/heads/master@{#430674}

TBR=davidben@chromium.org,rsleevi@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 653691 

Review-Url: https://codereview.chromium.org/2487063003
Cr-Commit-Position: refs/heads/master@{#430795}

[modify] https://crrev.com/72d496d755369eb7f930fccb2389381425f316f6/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/72d496d755369eb7f930fccb2389381425f316f6/net/cert/cert_verify_proc.h
[modify] https://crrev.com/72d496d755369eb7f930fccb2389381425f316f6/net/cert/cert_verify_proc_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/63efb444af72ffca8e96a9df770c05dc97f241bb

commit 63efb444af72ffca8e96a9df770c05dc97f241bb
Author: rsleevi <rsleevi@chromium.org>
Date: Wed Nov 09 04:57:07 2016

Distrust publicly trusted SHA-1 certs

Reject all publicly trusted SHA-1 certificates, as announced
September 2014 at
https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html
and
https://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html

To avoid too much disruption, enterprise SHA-1
is still allowed for M56; in M57, it will be
disabled unless the EnableSha1ForLocalAnchors policy is
set, as described at
https://www.chromium.org/Home/chromium-security/education/tls/sha-1

As with other TLS deprecations, an emergency 'undeprecate'
switch is kept around in the event of unexpected breakage,
to allow rapid reverting to the previous behaviour.

BUG= 653691 

Review-Url: https://codereview.chromium.org/2483783003
Cr-Commit-Position: refs/heads/master@{#430866}

[modify] https://crrev.com/63efb444af72ffca8e96a9df770c05dc97f241bb/net/cert/cert_verify_proc.cc
[modify] https://crrev.com/63efb444af72ffca8e96a9df770c05dc97f241bb/net/cert/cert_verify_proc.h
[modify] https://crrev.com/63efb444af72ffca8e96a9df770c05dc97f241bb/net/cert/cert_verify_proc_unittest.cc

Marking Fixed - https://sha1.badssl.com/ can be used to test.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f3f60a5708505a97dd7761b60f39eac3f78a54dd

commit f3f60a5708505a97dd7761b60f39eac3f78a54dd
Author: lgarron <lgarron@chromium.org>
Date: Sat Nov 19 03:25:04 2016

Explicitly mention SHA-1 as a possible cause in the weak cert signature interstitial.

In the near future (starting in Chrome 56), this error will most often be triggered by the deprecation of SHA-1 signed certs. Explicitly mentioning SHA-1 in the advanced details gives a strong hint about the likely cause to anyone who does not know the ins and outs of the SHA-1 deprecation, but has heard about it.

BUG= 653691 

Review-Url: https://codereview.chromium.org/2504233005
Cr-Commit-Position: refs/heads/master@{#433388}

[modify] https://crrev.com/f3f60a5708505a97dd7761b60f39eac3f78a54dd/components/ssl_errors_strings.grdp

Your change meets the bar and is auto-approved for M56 (branch: 2924)

Please merge your change to M56 (branch: 2924) ASAP so that we could take it for next Dev Release.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Andrew, would you like to merge the CL since Ryan is OOO?

FYI: M56 will be promoted to Beta next week.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e7f8c938ab86d0c66604bbb9ce0c701c4985ff92

commit e7f8c938ab86d0c66604bbb9ce0c701c4985ff92
Author: Andrew R. Whalley <awhalley@chromium.org>
Date: Fri Dec 02 22:39:35 2016

[M56 merge] Explicitly mention SHA-1 as a possible cause in the weak cert signature interstitial.

In the near future (starting in Chrome 56), this error will most often be triggered by the deprecation of SHA-1 signed certs. Explicitly mentioning SHA-1 in the advanced details gives a strong hint about the likely cause to anyone who does not know the ins and outs of the SHA-1 deprecation, but has heard about it.

BUG= 653691 

Review-Url: https://codereview.chromium.org/2504233005
Cr-Commit-Position: refs/heads/master@{#433388}
(cherry picked from commit f3f60a5708505a97dd7761b60f39eac3f78a54dd)

Review URL: https://codereview.chromium.org/2546473009 .

Cr-Commit-Position: refs/branch-heads/2924@{#307}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/e7f8c938ab86d0c66604bbb9ce0c701c4985ff92/components/ssl_errors_strings.grdp