SSL VA

Issue :SSL Certificate Signed Using Weak Hashing Algorithm      

An SSL certificate in the certificate chain has been signed using a
weak hash algorithm.      The remote service uses an SSL certificate chain that has been signed
using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5,
or SHA1). These signature algorithms are known to be vulnerable to
collision attacks. An attacker can exploit this to generate another
certificate with the same digital signature, allowing an attacker to
masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with
SHA-1 that expire after January 1, 2017 as vulnerable. This is in
accordance with Google's gradual sunsetting of the SHA-1 cryptographic
hash algorithm.

Note that certificates in the chain that are contained in the Nessus
CA database (known_CA.inc) have been ignored.      

Contact the Certificate Authority to have the certificate reissued.      

http://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?e120eea1
http://technet.microsoft.com/en-us/security/advisory/961509

      
Plugin output:The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.

|-Subject             : CN=XXX
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From          : Sep 30 12:06:43 2016 GMT
|-Valid To            : Sep 28 12:06:43 2026 GMT
Molly sAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Panagiotis ToumpaniarisSystem EngineerCommented:
And the question is?
0
btanExec ConsultantCommented:
It is warning on SHA1 use. Configure the service to only allow strong encryption, and replace the certificate if necessary. E.g. You'll need to generate a new certificate request, and get your CA to issue you a new certificate using SHA-2. You don't need to worry about SHA-1 root certificates that ship with browsers, because their integrity is verified without using a digital signature. https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1#what-you-can-do
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Molly sAuthor Commented:
thnk u
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.