Thanks for your assistance Shawn. I will follow-up on the cert and see where that leads. Regards, joe
On 2/5/22, 12:23 AM, "Shawn Heisey" <[email protected]> wrote: On 2/4/2022 1:15 PM, Joseph Simone wrote: > Maybe we got started off with the wrong details here. > How or where can I set the MessageDigest to SHA-256 ... > > MessageDigest safeDigester = MessageDigest.getInstance("SHA-256"); // Safe! > > Whatever the default is, it seems to be insecure. I think the problem is a simple matter on my side of missing an httpclient configuration setting. If I'm not mistaken (and I very well could be) ... that refers to the details in the SSL certificate. Chances are that the certificate on the website you're contacting is using the less secure hashing algorithm. Therefore the code that uses the certificate will also be using SHA1. First hit on a google search. I have no personal connection to digicert, though I do have a friend who works there: https://urldefense.com/v3/__https://www.digicert.com/faq/sha2/transitioning-to-sha-2.htm__;!!P0m1g9ywEA!cYv40Oqe8S7kqE3gpGpGXMALs9duRN3kHNjeo6vWDQ_8hNZ4Ghbb3HTfBxE$ If the certificate is not within your control, then you need to talk to whoever manages the website and ask them to fix their cert. If the cert IS under your control: In some cases, the hashing algorithm of the final certificate will be determined from a certificate signing request that you provide to the CA. But I think that most public CAs these days do not pay attention to anything in a CSR except the public key, and if that is the case, the hashing algorithm will be entirely up to the CA. If this is a client cert and not a server cert, then chances are that it is under your control. If you run your own CA, you should talk to the vendor or project for that software about how to have it issue SHA-2 certificates. If you use a public CA for client certs, ask them how to obtain upgraded certs. Thanks, Shawn --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
