Project

General

Profile

Actions
Copy link

Bug #6563

closed

Squid still accepts sha1 certificates

Added by Richard Eberhard almost 8 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
06/30/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Squid still accepts sha1 certificates.(Man in the middle proxy) I think this should be blocked by default for security reasons. Is there a config hack to block sha1? Can someone give me some hints? Tested with this page: https://sha1-2017.badssl.com/

Actions
Copy link
 #1

Updated by Sean McBride about 7 years ago

I don't actually use squid, but given this week's SHA-1 collision https://shattered.it, I thought I'd ping this ticket...

Actions
Copy link
 #2

Updated by Kill Bill about 7 years ago

Yeah, last time I checked (~Oct/Nov 2016) an estimate was that ~35% of websites were still using SHA1 certificates. Obviously such changes are a no go.

Actions
Copy link
 #3

Updated by Sean McBride about 7 years ago

It's probably much lower now. Since January, all the major browsers warn upon SHA1 certs. Regardless, the ticket submitter does not seem to be asking to rip out SHA1 support out entirely, but for an option to block it, and to do so by default. Sounds quite prudent to me.

Actions
Copy link
 #4

Updated by Kill Bill over 6 years ago

https://github.com/pfsense/FreeBSD-ports/pull/402 since pretty much any decent browser nags about these nowadays.

Actions
Copy link
 #5

Updated by Kill Bill over 6 years ago

Merged and fixed.

Actions
Copy link
 #6

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF