SOLVED SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

clearchaos

Member
Dec 24, 2008
10
1
53
Hi,

My server is failing a PCI scan on a few ports with:

"SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)" - CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068osvdb : 45127, 45106, 45108cwe : 310 }

The following known CA certificates were part of the certificate
chain sent by the remote host, but contain hashes that are considered
to be weak.

|-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : May 30 10:48:38 2000 GMT
|-Valid To : May 30 10:48:38 2020 GMT
I've reissued the server certificate but to no avail. Google is taking me around in circles and I'm not finding the answer. Can anyone offer any advice?

Thanks.
 

rpvw

Well-Known Member
Jul 18, 2013
1,088
446
113
Spain
cPanel Access Level
Root Administrator
This thread at Expert Exchange might be useful to you.

It rather looks like you will need to get a new certificate, and you may need to consider moving to a different CA who uses acceptable algorithms in their certificate chain..

Following information is from the Cryptographic Storage Cheat Sheet - OWASP
Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 or SHA1.

If the information that you posted is correct.......
|-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : May 30 10:48:38 2000 GMT
|-Valid To : May 30 10:48:38 2020 GMT
........this certificate was generated in the year 2000 and has not been considered secure since 2005, and many browsers and organisations have stopped accepting it since 2017.

Further reading from :
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
Google Online Security Blog: Gradually sunsetting SHA-1
 
Last edited:

clearchaos

Member
Dec 24, 2008
10
1
53
Thanks for your reply, it's very much appreciated.

I understand why sha1 has to go, but it seems like the root certificate in the chain is the problem here, is that right? It's the only place I can find reference to sha1 in an ssllabs scan. The ssllabs report shows two paths, the first is OK, but the second has the entry shown below - should there even be two paths?

4 In trust store AddTrust External CA Root Self-signed
Fingerprint SHA256: 687f[REMOVED]d2ff2
Pin SHA256: lCppFqbkrlJ3[REMOVED]EUk7tEU=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
The certificate on the site is cPanel generated (autossl).
PCI scans have been fine up until this month.
 

rpvw

Well-Known Member
Jul 18, 2013
1,088
446
113
Spain
cPanel Access Level
Root Administrator
This is very strange. I never noticed it before as I don't try and get PCI compliance.

I just ran one of my sites AutoSSL through ssllabs and got exactly the same result as you did.

Perhaps someone at cPanel will enlighten us. o_O
 

clearchaos

Member
Dec 24, 2008
10
1
53
Thanks again.

At least it's (probably) not down to config on my server if you can also replicate the issue.

Fingers crossed a cPanel sage will help :)
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,894
2,226
363
cPanel Access Level
DataCenter Provider
Twitter

clearchaos

Member
Dec 24, 2008
10
1
53
Hi - just a quick update on this. I eventually raised this as a "false positive" with the following statement:

I believe this to be a false positive as SHA-1 is only used on the root certificate. According to Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm, SHA-1-based signatures for trusted root certificates are not a problem because TLS clients trust them by their identity, rather than by the signature of their hash (ref: Google Online Security Blog: Gradually sunsetting SHA-1) .
This was accepted by the scanning company.

Thanks for your help.
 
  • Like
Reactions: cPanelMichael