Google’s Chrome 39 Sunsetting SHA-1

Google has announced that they are sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November 2014. SHA-1 root certificates are not affected by this plan.

Most providers are offering free upgrades to SHA-2 certificates so be sure to contact yours to see if you qualify.

More info can be found on Google’s security blog.

SHA-1 vs. SHA-2 SSL Certificates

If you’re thinking about moving to a SHA-2 hashing algorithm for your SSL certificate, remember that it will break in IE6 and all versions of IE on Windows XP prior to SP3. So if you’re supporting users on older machines / browsers, you’ll need to stick with SHA-1.

More information is available here.

Load Balancing a Reverse Proxy with Nginx, PHP5-FPM & SSL

Continuing with our migration to Nginx (see previous posts here and here), the next set of servers to move were a load balanced group of PHP servers. Each server consists of an http server on port 80, an https server on port 443 and an upstream PHP server on port 8000.

  • 1 to n upstream PHP servers can be configured, either local or remote
  • configuration supports both http (80) and https (443)
  • SSL is terminated before being passed to the upstream server
  • PHP upstream server uses PHP5-FPM via a local socket
  • static files are served directly via Nginx and are set to max expires

There are also some future optimizations I’m currently looking at:

AWS Now Supports SSL and Wildcard CNAMEs

Back in June Amazon announced support for custom SSL certificates with CloudFront, meaning you can now use your own domain name to serve content via https rather than their pesky CloudFront URLs (i.e.

The only downside was the price… $600 per month per certificate. If you needed a couple of different domains (i.e.,,, this could get expensive quickly.

Well now you can simply purchase a wildcard certificate and secure all of those domains with a single certificate.

More info can be found here and here.