On Fri, Feb 2, 2018 at 3:18 PM, Gareth Williams <gar...@garethwilliams.me.uk> wrote: > Hello, > > The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" test gets > confused if a server is using (and presumably sends as part of the TLS > handshake) a Root CA certificate that is signed by a weak algorithm. > > This check should only be valid for subordinate certificate, that is, > certificates signed by a superior CA. In a self-signed (such as a Root CA) > the signature algorithm is irrelevant.
The signature is not entirely irrelevant, and a weak digest on a root CA does make it easier (but perhaps not yet feasible) to attack the root CA. More problematic is an attack on an intermediate CA due to certificates using a weak digest. https://csrc.nist.gov/publications/detail/sp/800-131a/archive/2011-01-13 "SHA-1 shouldn't be trusted past January 2016 because of the increasing practicality that a well-funded attacker or government could find a SHA-1 hash collision, allowing them to impersonate any SSL website." (Paraphrased.) If you still don't want to trust the NSA and NIST, I think the test is accurate: They're using old technology that needs to be updated. It's too bad that that is work, so I suppose it's a good thing you're getting paid. > Many organisations still use a SHA1 signed Root CA certificate, and these > are flagged up during a scan, if the scanned server is configured to send > the Root CA certificate as part of the chain. Note that sending the Root has > no security benefit or risk, and is ignored by clients - it is usually due > to a misconfigured server. > > The 'gb_ssl_weak_hash_algo.nasl' script checks if a certificate is a Root CA > certificate (by including CAs.inc) but this only checks if the certificate > is on a predefined list of commercial CAs. I can't add to this list (as far > as my understanding goes) as the file is signed. In my opinion, the NASL > should simply check if the Subject and the Issuer are the same. If they > are, there is no reason to check the signature algorithm. > > This also affects servers that use a single self-signed certificate for TLS. > While not considered best practice, many do use them. Again, there is no > reason in flagging the signature algorithm of these self-signed certificates > as it adds no effective security. A test of Subject is equal to Issuer > would resolve this too. > > This may have been discussed previously (Google couldn't find it) as I'm new > to OpenVAS. If it has, please accept my apologies. > Cheers, R0b0t1 _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
