A ThreatPulse policy with SSL interception enabled will result in browser warnings when accessing certain SSL-based sites through the web security service when using Mozilla Firefox.
Firefox Versions prior to 43.0.4 generate a warning* if a SHA-1 certificate with a “notBefore” date after 2016-01-01 is encountered. Some certificates deployed in the web security service might have a “notBefore” after 2016-01-01 as a result of standard maintenance processes. This includes data pods that require a certificate update prior to expiration and/or activities related to datacenter expansion as a result of capacity requirements.
Note: The SHA-1 certificates deployed in the web security service are completely valid and adhere to all web standards. This warning is specific to the implementation of SSL certificate enforcement within the Firefox browser.
The Blue Coat Cloud security service is in the process of gradually deploying SHA-2 root certificates. Further details with regards to the progress and implementation will be provided at a later date. Please continue to periodically check this page for more details.
Recommendation for policies with SSL Intercept:
If this issue applies to your deployment, we are re-enforcing Mozilla's recommendation to upgrade to the latest available version of Firefox to address the certificate warnings (version 43.0.4 or newer).
Below, the Mozilla team (source: mozilla.org) notes that the latest version of Firefox addresses the change in behavior to re-enable support for SHA-1 certificates:
"The latest version of Firefox re-enables support for SHA-1 certificates to ensure that we can get updates to users behind man-in-the-middle devices, and enable us to better evaluate how many users might be affected.”
Download the latest version of Mozilla Firefox
Review Firefox Version 43.0.4 Release Notes
Imported Document ID: 000029268
Subscribing will provide email updates when this Article is updated. Login is required.