Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

Discussion in 'Security' started by clearchaos, Mar 16, 2018.

Tags:
  1. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Hi,

    My server is failing a PCI scan on a few ports with:

    "SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)" - CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068osvdb : 45127, 45106, 45108cwe : 310 }

    The following known CA certificates were part of the certificate
    chain sent by the remote host, but contain hashes that are considered
    to be weak.

    |-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    |-Signature Algorithm : SHA-1 With RSA Encryption
    |-Valid From : May 30 10:48:38 2000 GMT
    |-Valid To : May 30 10:48:38 2020 GMT
    I've reissued the server certificate but to no avail. Google is taking me around in circles and I'm not finding the answer. Can anyone offer any advice?

    Thanks.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    969
    Likes Received:
    380
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This thread at Expert Exchange might be useful to you.

    It rather looks like you will need to get a new certificate, and you may need to consider moving to a different CA who uses acceptable algorithms in their certificate chain..

    Following information is from the Cryptographic Storage Cheat Sheet - OWASP

    If the information that you posted is correct.......
    ........this certificate was generated in the year 2000 and has not been considered secure since 2005, and many browsers and organisations have stopped accepting it since 2017.

    Further reading from :
    https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
    Google Online Security Blog: Gradually sunsetting SHA-1
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Mar 17, 2018
    Last edited: Mar 17, 2018
  3. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Thanks for your reply, it's very much appreciated.

    I understand why sha1 has to go, but it seems like the root certificate in the chain is the problem here, is that right? It's the only place I can find reference to sha1 in an ssllabs scan. The ssllabs report shows two paths, the first is OK, but the second has the entry shown below - should there even be two paths?

    4 In trust store AddTrust External CA Root Self-signed
    Fingerprint SHA256: 687f[REMOVED]d2ff2
    Pin SHA256: lCppFqbkrlJ3[REMOVED]EUk7tEU=
    RSA 2048 bits (e 65537) / SHA1withRSA
    Weak or insecure signature, but no impact on root certificate
    The certificate on the site is cPanel generated (autossl).
    PCI scans have been fine up until this month.
     
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    969
    Likes Received:
    380
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This is very strange. I never noticed it before as I don't try and get PCI compliance.

    I just ran one of my sites AutoSSL through ssllabs and got exactly the same result as you did.

    Perhaps someone at cPanel will enlighten us. o_O
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Thanks again.

    At least it's (probably) not down to config on my server if you can also replicate the issue.

    Fingers crossed a cPanel sage will help :)
     
  6. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
  7. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    423
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This is coming up on PCI scans a lot now for SSL certs generated for the free cPanel hostname certificates.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,423
    Likes Received:
    1,957
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Hi - just a quick update on this. I eventually raised this as a "false positive" with the following statement:

    I believe this to be a false positive as SHA-1 is only used on the root certificate. According to Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm, SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash (ref: Google Online Security Blog: Gradually sunsetting SHA-1) .
    This was accepted by the scanning company.

    Thanks for your help.
     
    cPanelMichael likes this.
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,423
    Likes Received:
    1,957
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @clearchaos,

    Thank you for sharing the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice