Just as an update - it appears that there was a vhost config that went unnoticed - this from the guy who found it:
"We noticed with SSLLabs that there was 2 SSL certificates getting pulled when testing against the xxx.xxx.xxx.domain
Looking against the config being included in the Apache when started we found a vhost file which had shared the same IP listener. This was a site migrated from the platform under a different domain (yyy.xxx.xxx.domain), so the SSL attached to this vhost was expired (possibly the SHA1) but getting considered as part of the TLS negotiation alongside the existing certificate for xxx.xxx.xxx.domain (which was SHA2)."
Sent: Friday, October 13, 2023 5:42 AM
To: users@xxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxx>
Subject: Re: Peer digest using sha1 on TLS connection - Chrome fails
| CAUTION: Cenitex security team advise that this email did not originate from a source within the Australian State or Federal Government. Be cautious when responding and/or opening any weblinks or attachments contained within this email. |
This is probably not the most appropriate mail list to ask this question.
Basically we have apache 2.4.3 on a solaris 10 host running openssl 1.0.2zf.
This was OK up until the 117 release of Chrome, which now rejects sha1.
Funny thing is that one vhost with the same ssl config is ok, whilst one vhost is failing. From all that I can tell, the only difference is the certificates - the CA cert is different.
I'm the unix admin (typically I don't do the httpd config - that's our customer), but the customer wants to make it our issue. Of course this is the customer that has resisted upgrading the OS.
There is one available patch for openssl from Oracle (151912-22 - openssl 1.02.zf) but I can't get any info at this point on whether that might address the issue.
Its only Chrome that is failing at the moment, but interested on any thoughts, ideas from this list as to whether there is any work around that could be attempted.
Craig Silva | Specialist Engineer – Unix & Storage Services
Level 18, 80 Collins Street, Melbourne 3000
(03) 9063 5126
Cenitex acknowledges the Traditional Owners and custodians of the land and we pay our respects to their Elders, past, present and emerging. We are an inclusive workplace that embraces diversity in all its forms.
Notice:
This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
Notice:
This email and any attachments may contain information that is personal,
confidential, legally privileged and/or copyright. No part of it should be
reproduced, adapted or communicated without the prior written consent of the
copyright owner.
It is the responsibility of the recipient to check for and remove viruses.
If you have received this email in error, please notify the sender by return
email, delete it from your system and destroy any copies. You are not authorised
to use, communicate or rely on the information contained in this email.
Please consider the environment before printing this email.
