Chrome is removing support for signature algorithms using SHA-1 for server signatures during the TLS handshake. This does not affect SHA-1 support in server certificates, which was already removed, or in client certificates, which continues to be supported. SHA-1 can be temporarily re-enabled via the temporary InsecureHashesInTLSHandshakesEnabled enterprise policy. This policy will be removed in Chrome 123.
SHA-1 has known collisions and is no longer considered a secure hash function. Removing support ensures these weaknesses cannot be used by an attacker to impersonate a TLS server. Use of SHA-1 signatures in TLS has been deprecated by the IETF in RFC 9155. Though also deprecated in RFC 9155, this change does not affect SHA-1 in client certificates and client signatures. For now, Chrome will continue to send SHA-1 client certificates if provisioned, and generate SHA-1 client signatures if requested by the server. To mitigate the corresponding client impersonation attack, server operators can and should reject SHA-1 from the client when deploying client certificates (sometimes referred to as mTLS).