We utilize HTTPS deep packet inspection in our firewall via a trusted root certificate in the Windows certificate store. Chrome recently pushed forward with a feature to perform additional checks on certificate issuance called Certificate Transparency, where each certificate used (that was issued after a certain date) is checked against a known good list of CAs.
The use of HTTPS deep packet inspection (aka HTTPS proxying/offloading/MiTM) now causes Chrome to error as per this example.
Is it possible to disable the sole feature of audit log checking in Chrome?
Update in response to womble's answer.
This update is wrong. Womble's answer is correct, see below.
This is what I originally thought, but it clearly isn't.
Here are screenshots of overly righteous Chrome:
No MiTM:
MiTM:
It does appear that it is directly related to cert transparency/audit log checking and not the use of SHA-1 and upcoming depreciation in nanny Chrome. Worth noting that our internal CA cert does expire after 2017.
Update 2, womble is right:
Thanks to womble's answer, I re-reviewed the notice from the Chrome team, and noticed any site with a cert with an expiration 2017+ that uses SHA-1 will get the "affirmatively insecure" warning (the crossed out red lock icon).
To prove my MiTM/proxy the culprit, I used a salesforce test site (located via ducking a KB article)
No MiTM:
MiTM:
*note that even with no MiTM Chrome detects this site as "secure, but with minor errors" (that yellow icon) because the cert expires within the 2016 calendar year, not 2017+.
My proxy/MiTM is downgrading the algo from SHA-256 to SHA-1. Tsk Tsk! Chrome is acting exactly as intended according to the notice, and I do not believe my user's will receive "affirmatively insecure" notifications once I resolve this issue with the MiTM/proxy.
Thanks!
Update 3: Remember to check firmware updates/release notes... SHA-256 now supported. Update slated Friday. Should be a-okay.
Assuming that the example you're pointing to is actually the one about "The site is using outdated security settings", and not "does not have public audit records", about 99.99% sure that your problem isn't CT, for several reasons:
The error about "using outdated security settings" actually means that your MitM proxy is issuing SHA-1-based certificates with expiry dates in the far future, which probably isn't such a winning idea.