Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 167
  • Last Modified:

Determining & validating if my SSL certificate is using SHA-2 cipher ?

People,

Can anyone here please assist me in how to identify my existing SSL certificates which is using SHA-2 or not ?

I need to know if my existing SSL certificate is SHA-2 or not due to POODLE vulnerability (CVE-2014-3566 and CVE-2014-8730).

This is the article which is confused me:POODLE
Thanks,
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 7
  • 4
  • 3
  • +1
4 Solutions
 
Dr. KlahnPrincipal Software EngineerCommented:
Per the above notes you've shown us, if the certicate was issued after January 1 of this year, it was issued using a SHA-2 cipher.

When was it issued?
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Certificate
I don't know, I'm new in the company hence I do not know when it was issued apart from the screenshot above.

Is that correct ?
0
 
arnoldCommented:
Valid date is when it was issued.
Look at the cert detail, advanced, usually it has many details there.
The certificate is an identity mechanism, you can use regedit and disable ciphers within the schannel in hkey_local_machine setting to limit the protocols to tls 1.x and disable ciphers the client/server negotiate.
1
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Certificate - SHA
I can see it from the above screenshot, there is nothing mentioning SHA-2 at all ?

I have also disabled them all according to the steps in Registry on page 23-24. Would that be enough ?

Source PDF: http://www.preferrednet.net/media/1281143/iis_reverse_proxy_for_oxi_oeds-poodle_082815.pdf
0
 
Dave BaldwinFixer of ProblemsCommented:
If your site is public, you can check it on this site:  https://www.ssllabs.com/index.html  I check all my sites there.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Dave,

I don't think so, because when I put in the URL as per certificate SAN, it is displaying:

Assessment failed: Unable to connect to the server

from the Qualys website.
0
 
arnoldCommented:
The certificate is not the item suseptible to the attack, the connection between client/server us the issue.
Your certificate is SHA1 which does not conform to the notice you cited.

You seemed to have skipped the first paragraph of the notice and seems to misread/misinterpreted the meaning/implication of the seondary paragraph of the notice cited.
0
 
Dave BaldwinFixer of ProblemsCommented:
I think you're probably alright.  For some reason, SHA-2 seems to mean SHA256.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
@Arnold and @Dave: So in my case here, does my certificate seems vulnerable to POODLE or not ?

as I'm bit confused here.

The current SSL certificate is installed in the DMZ server which is running the web service for the other site offices to connect and pass on transaction to my head office Data Center.

When I type in the URL from the certificate subject, I cannot open the page from my Guest Wifi and from home.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Arnold,

So is it the Thumbprint algorithm that I need to check ?
0
 
Dave BaldwinFixer of ProblemsCommented:
My certificates with 'A' ratings have SHA1 for the fingerprint but SHA256 for everything else.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Dave, is there any way to test the SSL certificate from the Qualys or any other website for POODLE vulnerability ?

I guess I will have to export the SSL certificate and then test it somewhere else.
0
 
Dave BaldwinFixer of ProblemsCommented:
I don't think that will work since the certificate is specific to the domain name that it is for and shouldn't work anywhere else.
0
 
arnoldCommented:
The certificate us like a driver license, its authenticity verified by the signer, in this case it is goddaddy. The exchange of data that us suseptible to poodle deals with the interaction between a fluent and the web server via crypt modes.
Disable the ciphers raised as a concern.
If your site is not public, your exposure is there but is limited to authorized, done what more secured versus open to all.

Yes, you can install the certificate/private key on an externally facing system, or for purposes of this test, open a non-standard port that will forward the request to the server. Use the non-standard port in the ssllabs test then disable the forward after done with testing.
1
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks all !
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now