Google Chrome "Your connection to website is encrypted with obsolete cryptography"

  • Google Chrome is showing new information in the certificate section.

    image

    Is this a big deal? If so how can I fix it on the server end?

    EDIT: Thanks for the answers but I'm not skilled in cryptography so the only thing I can update with is this certificate was created by Shell in a Box, and I was also wondering if this was ruining the security of TLS/SSL communication with the application and if so, how I could fix it.

    This has been coined 'security shaming'. It made the Financial Times http://www.ft.com/cms/s/0/f53fe1ae-c98a-11e4-b2ef-00144feab7de.html

    You may also see "The site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

  • Adm Selec

    Adm Selec Correct answer

    5 years ago

    Your exact case is that RSA is used as the key exchange mechanism. Instead, you should use DHE_RSA or ECDHE_RSA.

    To remove the "obsolete cryptography" warning, you'll need to use "modern cryptography" which is defined as:

    • Protocol: TLS 1.2 or QUIC
    • Cipher: AES_128_GCM or CHACHA20_POLY1305
    • Key exchange: DHE_RSA or ECDHE_RSA or ECDHE_ECDSA

    Twitter discussion: https://twitter.com/reschly/status/534956038353477632

    Commit: https://codereview.chromium.org/703143003

    This has nothing to do with a certificate. There is a special "outdated security settings" warning when a certificate uses weak signature algorithm, but this is about authentication, not about encryption. Note that you are still getting a green lock, even in case of obsolete encryption.

    So how do I generate my private/public keys using ECDHE_RSA? I'm getting the same error as OP, and I'm using this command to generate my keys `openssl req -x509 -newkey rsa:2048 -sha256 -keyout a.key -out a.crt -days 1000 -nodes -subj "..."`. I'm guessing I need to change the rsa:2048 param, but I can't find what I should be changing it to.

    @Rob You do not need to generate new keys - you just have to modify some server settings to allow clients to use at least one of the listed ciphersuites. In apache, this can be done in your VirtualHost configuration file. There is an SSL config generator you can use to make this easier: https://mozilla.github.io/server-side-tls/ssl-config-generator/

    Hey! Thanks for your response! That makes a lot of sense since I didn't understand why the certificate would be the one to dictate this. Unfortunately, I'm not using Apache, I'm using my own web server which is based off of Civetweb, so I'll have to look into that!

    Note for Tomcat, to change from AES_256_CBC to AES_128_GCM you'll have to upgrade from Java 7 to Java 8. See this answer: http://stackoverflow.com/a/21290409/57752

    My understanding is that certificates vouch that a public key belongs to a certain entity. If you are going to change from RSA to, say, DHE_RSA, wouldn't the server need a DHE_RSA public key and thus a new certificate that will vouch for this new public key?

    @Eddie Going from a 256 bit key to a 128 bit key seems like a big downgrade, why isn't 256 CBC just as good or better?

    Windows: from https://www.nartac.com/Support/IISCrypto/FAQ ... your website is using obsolete cryptography if the cipher suite does not support forward secrecy and authenticated encryption (AEAD). The only two cipher suites that support this on Windows using RSA certificates are TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256. Unfortunately those cipher suites use 1024 bits for their Diffie-Hellman parameters which has long been considered weak. The only way to get rid of this warning is to use DSA certificates or wait until Windows 10 Server is released...

    @Michael With a modern block cipher (e.g. AES), 128-bit keys are _good enough_ (in the sense that a brute-force attack is utterly infeasible). 256-bit keys just waste electricity and CPU time. This will change if quantum computers become practical, but we can worry about that then. Changing from CBC to GCM, however, really does increase your security. GCM is a newer, better-designed mode of operation which avoids several known weaknesses in CBC (as used by TLS).

  • That message probably indicates you're

    • Using SSLv3, or
    • Have a certificate signed with SHA-1 or MD5

    According to this page. The former is a configuration issue, the latter require you to get a certificate signed with a SHA-256 hash.

    The image says that "The connection uses TLS 1.2.".

    OP can rule out SSLv3. Anybody else who finds this because they're searching for that error message might not be able to, so it's worth mentioning.

    Your answer unfortunately is wrong. As Ricky Demer said you can see that the connection uses TLS 1.2. And if the server uses a certificate with an old SHA-1 hash Chrome tells you about this in another place.

  • I had the same issue and used this free service to get a: SSL report.

    The report scans your SSL configuration and tells you:

    • Information about the certificate (Common names, valid dates, key size, signature algorithm, issuer, ...)
    • Certification path
    • Enabled protocols (making sure SSL 2 and SSL 3 are disabled)
    • Cipher suites supported (where you can see what should be disabled)
    • Handshake simulations for different browsers and OS.
    • Protocol details (are you vulnerable ?)

    It helped me get information about how my configuration was set, what could be improved or disabled and I ended up modifying the ssl_cipher directive from Nginx to support the Intermediate compatibility.

  • Since the protocol version is good and AES_128-GCM is certainly not obsolete the remaining possibility is that something is wrong with the RSA key exchange. I'm not sure what google chrome understands as obsolete, but just the fact that key exchange is performed using RSA is not particularly good. Preferably RSA should only be used for authentication and the key exchange should be performed using DHE or ECDHE.

    As someone pointed out you might also be having a problem with your certificate which is either signed with a bad hash function or the key might be too short (512 bits?) the latter is not very probably though.

    Good deduction. It is the KEX_RSA bit they don't like. However, I am surprised that PFS's "hackable in next round of LogJam" is so universally considered better than RSA's "hackable if server loses certificate in future".

  • You can use openssl s_client -connect <server_name>:443 from linux to see the ssl handshake. Check the Peer signing digest, protocol, and cipher. Usally chrome has more details about the obselete configurations, you can try to update. Check if algorithm hash, ciphers, protocol are modern.

    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4499 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: <id>
        Session-ID-ctx:
        Master-Key: <key>
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1579360646
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    

    Note: Openssl v 1.1.1 may fail to connect to server if the Peer signing digest: SHA1, you can try to reduce the security in /etc/ssl/openssl.cfn or /etc/pki/tls/openssl.cnf by setting the CipherString = [email protected] = 1 and try again. With openssl you can set -ciphers -sigalgs and more to debug.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM