On Fri, Feb 2, 2018 at 3:18 PM, Gareth Williams
<gar...@garethwilliams.me.uk> wrote:
> Hello,
> The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" test gets
> confused if a server is using (and presumably sends as part of the TLS
> handshake) a Root CA certificate that is signed by a weak algorithm.
> This check should only be valid for subordinate certificate, that is,
> certificates signed by a superior CA.  In a self-signed (such as a Root CA)
> the signature algorithm is irrelevant.

The signature is not entirely irrelevant, and a weak digest on a root
CA does make it easier (but perhaps not yet feasible) to attack the
root CA. More problematic is an attack on an intermediate CA due to
certificates using a weak digest.


"SHA-1 shouldn't be trusted past January 2016 because of the
increasing practicality that a well-funded attacker or government
could find a SHA-1 hash collision, allowing them to impersonate any
SSL website." (Paraphrased.)

If you still don't want to trust the NSA and NIST, I think the test is
accurate: They're using old technology that needs to be updated. It's
too bad that that is work, so I suppose it's a good thing you're
getting paid.

> Many organisations still use a SHA1 signed Root CA certificate, and these
> are flagged up during a scan, if the scanned server is configured to send
> the Root CA certificate as part of the chain. Note that sending the Root has
> no security benefit or risk, and is ignored by clients - it is usually due
> to a misconfigured server.
> The 'gb_ssl_weak_hash_algo.nasl' script checks if a certificate is a Root CA
> certificate (by including CAs.inc) but this only checks if the certificate
> is on a predefined list of commercial CAs.  I can't add to this list (as far
> as my understanding goes) as the file is signed.  In my opinion, the NASL
> should simply check if the Subject and the Issuer are the same.  If they
> are, there is no reason to check the signature algorithm.
> This also affects servers that use a single self-signed certificate for TLS.
> While not considered best practice, many do use them.  Again, there is no
> reason in flagging the signature algorithm of these self-signed certificates
> as it adds no effective security.  A test of Subject is equal to Issuer
> would resolve this too.
> This may have been discussed previously (Google couldn't find it) as I'm new
> to OpenVAS.  If it has, please accept my apologies.

Openvas-discuss mailing list

Reply via email to