Solved

Determining & validating if my SSL certificate is using SHA-2 cipher ?

Posted on 2016-10-23
15
126 Views
Last Modified: 2016-10-27
People,

Can anyone here please assist me in how to identify my existing SSL certificates which is using SHA-2 or not ?

I need to know if my existing SSL certificate is SHA-2 or not due to POODLE vulnerability (CVE-2014-3566 and CVE-2014-8730).

This is the article which is confused me:POODLE
Thanks,
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 27

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 125 total points
ID: 41856494
Per the above notes you've shown us, if the certicate was issued after January 1 of this year, it was issued using a SHA-2 cipher.

When was it issued?
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41856503
Certificate
I don't know, I'm new in the company hence I do not know when it was issued apart from the screenshot above.

Is that correct ?
0
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 41856514
Valid date is when it was issued.
Look at the cert detail, advanced, usually it has many details there.
The certificate is an identity mechanism, you can use regedit and disable ciphers within the schannel in hkey_local_machine setting to limit the protocols to tls 1.x and disable ciphers the client/server negotiate.
1
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41856526
Certificate - SHA
I can see it from the above screenshot, there is nothing mentioning SHA-2 at all ?

I have also disabled them all according to the steps in Registry on page 23-24. Would that be enough ?

Source PDF: http://www.preferrednet.net/media/1281143/iis_reverse_proxy_for_oxi_oeds-poodle_082815.pdf
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 125 total points
ID: 41856529
If your site is public, you can check it on this site:  https://www.ssllabs.com/index.html  I check all my sites there.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41856530
Dave,

I don't think so, because when I put in the URL as per certificate SAN, it is displaying:

Assessment failed: Unable to connect to the server

from the Qualys website.
0
 
LVL 78

Expert Comment

by:arnold
ID: 41856531
The certificate is not the item suseptible to the attack, the connection between client/server us the issue.
Your certificate is SHA1 which does not conform to the notice you cited.

You seemed to have skipped the first paragraph of the notice and seems to misread/misinterpreted the meaning/implication of the seondary paragraph of the notice cited.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41856534
I think you're probably alright.  For some reason, SHA-2 seems to mean SHA256.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41856537
@Arnold and @Dave: So in my case here, does my certificate seems vulnerable to POODLE or not ?

as I'm bit confused here.

The current SSL certificate is installed in the DMZ server which is running the web service for the other site offices to connect and pass on transaction to my head office Data Center.

When I type in the URL from the certificate subject, I cannot open the page from my Guest Wifi and from home.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41856539
Arnold,

So is it the Thumbprint algorithm that I need to check ?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41856544
My certificates with 'A' ratings have SHA1 for the fingerprint but SHA256 for everything else.
0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 41856549
Dave, is there any way to test the SSL certificate from the Qualys or any other website for POODLE vulnerability ?

I guess I will have to export the SSL certificate and then test it somewhere else.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41856587
I don't think that will work since the certificate is specific to the domain name that it is for and shouldn't work anywhere else.
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 250 total points
ID: 41856967
The certificate us like a driver license, its authenticity verified by the signer, in this case it is goddaddy. The exchange of data that us suseptible to poodle deals with the interaction between a fluent and the web server via crypt modes.
Disable the ciphers raised as a concern.
If your site is not public, your exposure is there but is limited to authorized, done what more secured versus open to all.

Yes, you can install the certificate/private key on an externally facing system, or for purposes of this test, open a non-standard port that will forward the request to the server. Use the non-standard port in the ssllabs test then disable the forward after done with testing.
1
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 41863381
Thanks all !
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
While it may be true that the internet is a place of possibilities, it is also a hostile environment lurking with many dangers. By clicking on the wrong link, trusting the wrong person or using a weak password, you are virtually inviting hackers to …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question