[NethServer 6.6] Certificates signed with SHA1


(Emiliano Vavassori) #1

Hi all,

As a matter of fact, a lot of browsers are going to block certificates signed with obsolete/non-secure algorithms. Unfortunately, NethServer makes use of SHA1 when signing certificates for its infrastructure. This means that an infrastructure with SSL Transparent proxy enabled will cause some problems on some site with some modern browsers.

Steps to reproduce:

  • Install nethserver-squid and nethserver-firewall-base
  • Configure a red interface (WAN) plus a green one (LAN)
  • Configure proxying as “Transparent with SSL”
  • Get a client, connect to LAN interface
  • Install Firefox on the client
  • Install proxy certificate on client on Firefox and trust it (http://<serverip>/proxy.crt)
  • Visit Edmodo

Expected results:
See the correct page for Edmodo.

Obtained results:
You will see a blank page. Accessing to the developer console on Firefox, you should be able to see clearly that a lot of third-party sites are blocked because of SHA1 signature on certificate (which is the one used by NethServer).

I’m positive that this is a problem with the proxy certificate: configuring the proxying to do just “Transparent”, Edmodo loads correctly with its main page.

I’ve been said that signing is configured when creating the CA for the infrastructure. I hoped to find the scripts that configures the CA but I didn’t find anything (not searched thoroughly).

Can you please confirm?


NethServer distro is installed with the support of weak ciphers