i'm well aware of the changes made to Chrome 42 and sha1 signed certificates.
Here a short reminder : https://blog.filippo.io/the-unofficial-chrome-sha1-faq/
Our client reported this problem and I've explained what was causing it. Here the screenshot he gave me :
The problem is that I've upgraded chrome on an offline VM (using the same version as the client : 42.0.2311.90 m) with the standalone setup and I can't see this behavior (tried the same website as well as other internal sites with sha1 expiring after 2017 certificates). All locks are green :
Do you have an hint of what could cause this difference of behavior between 2 same version chromes ?
Thanks
Edit : here the certificate details that should trigger "unsecure https" in chrome 42 :
Edit2 : I did a comparison between the VM chrome://conflicts page and the client ones. When i saw a diff in the crypto API related to this kb : https://support.microsoft.com/en-us/kb/3033929 (read tech note inside) I thouth maybe Chrome was relying on the OS API to check the validity of the certificate (MS, google and Mozilla agreed on this 2017 end of support date).
I've applied the KB but so far no changes. Still green lock. I'm going to open a bug to chromium support list. I'll update this post later.
Best Answer
The answer is that the flags controlling how Chrome behave regarding
sha1
certificates are remotely controlled (Google servers). In Chrome 42 (and maybe 43) it was implemented fail-open thus giving green lock on off-network VM.In Chrome 44 it's implemented fail-closed.