Chrome 117 has just rolled out denial of SHA1 signature algorithms (for header signing -- not ciphers which have already been removed) and now Chome on any platform is unable to connect to trafficserver 9.2.2 on RHEL 7. I'm the Fedora/RHEL package maintainer so this is my problem, but before I dig into the OpenSSL usage I figured I'd poll for OpenSSL experts first. :-)
Details on the Chrome change: [ https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 | https://groups.google.com/a/chromium.org/g/blink-dev/c/ZdpqIOKTHeM?pli=1 ] The underlying problem seems to be that RHEL 7 has OpenSSL 1.0.2k+patches, which does not support TLS v1.3, so we are using TLS v1.2. Then for some reason I haven't yet determined, Traffic Server is only presenting a SHA-1 option for header signing -- possibly due to the signature_algorithm extension not being configured. Apache httpd still works with the same OpenSSL and Chrome 117, so obviously there's some possible workaround in how OpenSSL gets used. Obviously the preferable answer is "use a modern OpenSSL" but that's not really possible on CentOS 7 / RHEL 7. Is anyone familiar enough with OpenSSL to point my in the right direction? Otherwise I'll dig in... Thanks, --Jered
