Distrust SHA-1 Enterprise Certs unless EnableSha1ForLocalAnchors is set |
||
Issue descriptionProtect Chrome users from attackers who might use the broken SHA-1 hash algorithm to obtain counterfeit website authentication certificates. Per https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html, Chrome will stop supporting SHA-1 certificates, unless the EnableSha1ForLocalAnchors policy flag is set.
,
Dec 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d3d4039a2c95869ba38aa69b6bb542362e5f4574 commit d3d4039a2c95869ba38aa69b6bb542362e5f4574 Author: rsleevi <rsleevi@chromium.org> Date: Wed Dec 14 02:40:05 2016 Disable SHA-1 for Enterprise Certs Disable SHA-1 unless CertVerifier::VERIFY_ENABLE_SHA1_LOCAL_ANCHORS is set. This flag is set based on the EnableSha1ForLocalAnchors policy for Chrome users. BUG= 673036 Review-Url: https://codereview.chromium.org/2560343002 Cr-Commit-Position: refs/heads/master@{#438399} [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/cert/cert_verify_proc.cc [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/cert/cert_verify_proc_unittest.cc [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/certificates/README [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/certificates/crlset_by_intermediate_serial.raw [add] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/certificates/intermediate_ca_cert.pem [add] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/certificates/ok_cert_by_intermediate.pem [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/certificates/x509_verify_results.chain.pem [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/scripts/ca.cnf [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/data/ssl/scripts/generate-test-certs.sh [modify] https://crrev.com/d3d4039a2c95869ba38aa69b6bb542362e5f4574/net/net.gypi
,
Jan 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f344fae16403754aab4567c1edb158ee658a8b07 commit f344fae16403754aab4567c1edb158ee658a8b07 Author: rsleevi <rsleevi@chromium.org> Date: Wed Jan 04 22:08:39 2017 Only disable SHA-1 for local trust anchors if there's a PrefService SHA-1 is being phased out, and beginning with M57, SHA-1 certificates signed by locally installed trust anchors is being disabled by default. To re-enable, Enterprises should set an EnableSha1ForLocalAnchors policy to allow it. However, for platforms without enterprise policies, or for embedders, this raises a question about what the default state should be - enabled or disabled. As Chrome itself expects there to be non-trivial impact (thus, the policy, supported until 1 Jan 2019), it is safer to leave the current behaviour, enabling SHA-1 for these certs, on by default, and leave it to embedders to disable (via the SSLConfig/SSLConfigService). If embedders support preferences, that's seen as sufficient support to enable some degree of run-time control/flexibility, thus the default is moved from //net to //components/ssl_config. Embedders using //net will continue to support SHA-1 anchors by default, while embedders that include //components/ssl_config (and use it) will disable it by default. BUG= 673036 Review-Url: https://codereview.chromium.org/2613533004 Cr-Commit-Position: refs/heads/master@{#441481} [modify] https://crrev.com/f344fae16403754aab4567c1edb158ee658a8b07/components/ssl_config/ssl_config_service_manager_pref.cc [modify] https://crrev.com/f344fae16403754aab4567c1edb158ee658a8b07/components/ssl_config/ssl_config_service_manager_pref_unittest.cc [modify] https://crrev.com/f344fae16403754aab4567c1edb158ee658a8b07/net/ssl/ssl_config.cc
,
Jan 10 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by rsleevi@chromium.org
, Dec 9 2016