SHA-1 SSL certificates discontinue in chrome and soon firefox & other browsers

[bitmai]

as you know Chrome stopped trusting any SHA-1 SSL certificate also other solutions like Adding shortcut flag " --ignore-certificate-errors" to Chrome or “chrome://flags/#allow-insecure-localhost“ does not work anymore! for some websites it says:

You attempted to reach TARGET-URL, but the server presented a certificate signed using a weak signature algorithm (such as SHA-1). This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker). Learn more.

and there is a proceed to continue Proceed to TARGET-URL (unsafe)

but for website which use HSTS like Facebook or Google or Instagram... it doesn't work and getting this error: NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

i don't know if there is a Walkthrough or anyother fix for that. maybe if APJP uses SHA-2 SSL it fixed the issue

[afshar-mohammad]

The --ignore-certificate-errors still works for me, but this problem needs to be fixed.

[jvansteirteghem]

In https://github.com/jvansteirteghem/apjp/blob/master/APJP_LOCAL_JAVA/src/main/java/APJP/HTTPS/HTTPS.java the x509Certificate is signed with sha1WithRSAEncryption (oid=1.2.840.113549.1.1.5). Signing with sha256WithRSAEncryption (oid=1.2.840.113549.1.1.11) will probably solve the problem:

x509Certificate.sign(new AlgorithmID(new ObjectID("1.2.840.113549.1.1.5")), privateKey); // SHA1_WITH_RSA_ENCRYPTION

should be

x509Certificate.sign(new AlgorithmID(new ObjectID("1.2.840.113549.1.1.11")), privateKey); // SHA256_WITH_RSA_ENCRYPTION

I have not tested the solution.

[lewis617]

Hope this problem well be fixed as soon as possible.