We generally give some information on the net error page unless the site is so broken that we can't finish the handshake.

A quick look at net-internals points to:
--> file = "../../third_party/boringssl/src/ssl/t1_lib.c"
--> line = 528

.. which is inside a function called tls12_check_peer_sigalg() [1]


[1] https://cs.chromium.org/chromium/src/third_party/boringssl/src/ssl/t1_lib.c?q=%22OPENSSL_PUT_ERROR(SSL,+SSL_R_WRONG_SIGNATURE_TYPE);%22&sq=package:chromium&l=528&dr=C

The site is so broken that we can't finish the handshake. :-P

Specifically, it is a TLS 1.2 site that can only sign SHA-1, which we are removing in Chrome 56. Not only that, it is signing SHA-1 despite us advertising in the ClientHello that SHA-1 is unacceptable.
https://www.chromestatus.com/feature/5725838074970112
https://groups.google.com/a/chromium.org/d/msg/blink-dev/kWwLfeIQIBM/9chGZ40TCQAJ

(Note that TLS 1.2 cannot be implemented without SHA-2 and ECDSA means you are already throwing out a lot of older things, so it really makes no sense to only sign SHA-1 here.)

I'll reach out to the site and see what's up. The previous instances were hitting a LibreSSL bug, but this seems to be something else.

(I should clarify, this is *not* SHA-1 in the certificate. This is the online signature in the TLS protocol which we also need to get SHA-1 out of over time.)

I've email the address at https://www.creditsesame.com/about/safe-and-secure/ which looks like a promising contact. Hopefully this'll be resolved soon, and we'll have more data points on affected vendors. Thanks for the report!

(No response yet. If I don't hear back by tomorrow, I'll forward the mail to some other "Contact Us" addresses on their site or maybe their WHOIS contact.)

+awhalley I haven't had much luck reaching these folks.

I just tried contacting via Facebook, hopefully that will work...

Thanks! I tried a few more email addresses, but no luck. Feel free to point them at me for information. (I'm interested to find out what software they are running.)

FWIW, I heard back via Facebook.  The person speaking with me did not seem to be a developer, but said that they passed the info along to their developer team.  So, might get fixed soon.  Dunno if we'll ever hear back about what software they're running, though.

I've been in contact with the Director of IT there via LinkedIn.  I just asked explicitly about the software they're using.

awhalley: Mind adding me to the thread?

This has been worked around at the site now. (Turns out A10 load balancers can only sign SHA-1. The update wasn't available yet, so they switched to an RSA certificate for now. This is not a great outcome, but we did learn about a problematic vendor so that's something. :-/ I'll circle back with that site later to ask that they apply A10's update.)

Update: Their vendor has since shipped the update (so we know what to tell people next time) and they've now updated to the new release and restored the old certificate without problems, so all's well.