Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

Discussion in 'Security' started by clearchaos, Mar 16, 2018.

Tags:
  1. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Hi,

    My server is failing a PCI scan on a few ports with:

    "SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)" - CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068osvdb : 45127, 45106, 45108cwe : 310 }

    The following known CA certificates were part of the certificate
    chain sent by the remote host, but contain hashes that are considered
    to be weak.

    |-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    |-Signature Algorithm : SHA-1 With RSA Encryption
    |-Valid From : May 30 10:48:38 2000 GMT
    |-Valid To : May 30 10:48:38 2020 GMT
    I've reissued the server certificate but to no avail. Google is taking me around in circles and I'm not finding the answer. Can anyone offer any advice?

    Thanks.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This thread at Expert Exchange might be useful to you.

    It rather looks like you will need to get a new certificate, and you may need to consider moving to a different CA who uses acceptable algorithms in their certificate chain..

    Following information is from the Cryptographic Storage Cheat Sheet - OWASP

    If the information that you posted is correct.......
    ........this certificate was generated in the year 2000 and has not been considered secure since 2005, and many browsers and organisations have stopped accepting it since 2017.

    Further reading from :
    https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
    Google Online Security Blog: Gradually sunsetting SHA-1
     
    #2 rpvw, Mar 17, 2018
    Last edited: Mar 17, 2018
  3. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Thanks for your reply, it's very much appreciated.

    I understand why sha1 has to go, but it seems like the root certificate in the chain is the problem here, is that right? It's the only place I can find reference to sha1 in an ssllabs scan. The ssllabs report shows two paths, the first is OK, but the second has the entry shown below - should there even be two paths?

    4 In trust store AddTrust External CA Root Self-signed
    Fingerprint SHA256: 687f[REMOVED]d2ff2
    Pin SHA256: lCppFqbkrlJ3[REMOVED]EUk7tEU=
    RSA 2048 bits (e 65537) / SHA1withRSA
    Weak or insecure signature, but no impact on root certificate
    The certificate on the site is cPanel generated (autossl).
    PCI scans have been fine up until this month.
     
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    This is very strange. I never noticed it before as I don't try and get PCI compliance.

    I just ran one of my sites AutoSSL through ssllabs and got exactly the same result as you did.

    Perhaps someone at cPanel will enlighten us. o_O
     
  5. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Thanks again.

    At least it's (probably) not down to config on my server if you can also replicate the issue.

    Fingers crossed a cPanel sage will help :)
     
  6. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
  7. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    422
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    This is coming up on PCI scans a lot now for SSL certs generated for the free cPanel hostname certificates.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  9. clearchaos

    clearchaos Member

    Joined:
    Dec 24, 2008
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    53
    Hi - just a quick update on this. I eventually raised this as a "false positive" with the following statement:

    I believe this to be a false positive as SHA-1 is only used on the root certificate. According to Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm, SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash (ref: Google Online Security Blog: Gradually sunsetting SHA-1) .
    This was accepted by the scanning company.

    Thanks for your help.
     
    cPanelMichael likes this.
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page