On Thu, Nov 01, 2018 at 09:52:12PM +0100, Sebastian Andrzej Siewior wrote: > |$ openssl x509 -in 912604.cert -text | grep Signature > | Signature Algorithm: sha1WithRSAEncryption > | Signature Algorithm: sha1WithRSAEncryption > > The point is that your server certificate is signed with SHA1 while > the minimum is SHA256. Please note that all publicly issued certificates > are signed with SHA256 these days.
Thank you for your feedback. You are right. I do not know why I was checking the CA certificate only and not the server one. The CA one is signed with SHA256 while the server one is signed with SHA1. > I would suggest a *note* in burp to notify users of burp which created > self-signed certificates with pre-Buster machines that they might need > to recreate their certificate if it is sigend with SHA1. Thus > resssigning to burp. On Thu, Nov 01, 2018 at 10:17:18PM +0100, Kurt Roeckx wrote: > As far as I know, the default in stretch should also use sha256, > most likely those certificates are older. The certificate was issued in 2016. It was therefore likely generated with Jessie. I have regenerated the server certificate and everything is working now. Nevertheless, I believe this should be documented somewhere in the Debian burp package that certificates generated under Jessie are likely to be rejected under Buster. Antoine
signature.asc
Description: PGP signature