On 2/4/2022 1:15 PM, Joseph Simone wrote:
Maybe we got started off with the wrong details here.
How or where can I set the MessageDigest to SHA-256 ...
MessageDigest safeDigester = MessageDigest.getInstance("SHA-256"); // Safe!
Whatever the default is, it seems to be insecure. I think the problem is a
simple matter on my side of missing an httpclient configuration setting.
If I'm not mistaken (and I very well could be) ... that refers to the
details in the SSL certificate. Chances are that the certificate on the
website you're contacting is using the less secure hashing algorithm.
Therefore the code that uses the certificate will also be using SHA1.
First hit on a google search. I have no personal connection to
digicert, though I do have a friend who works there:
https://www.digicert.com/faq/sha2/transitioning-to-sha-2.htm
If the certificate is not within your control, then you need to talk to
whoever manages the website and ask them to fix their cert.
If the cert IS under your control: In some cases, the hashing algorithm
of the final certificate will be determined from a certificate signing
request that you provide to the CA. But I think that most public CAs
these days do not pay attention to anything in a CSR except the public
key, and if that is the case, the hashing algorithm will be entirely up
to the CA.
If this is a client cert and not a server cert, then chances are that it
is under your control. If you run your own CA, you should talk to the
vendor or project for that software about how to have it issue SHA-2
certificates. If you use a public CA for client certs, ask them how to
obtain upgraded certs.
Thanks,
Shawn
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
