On Fri, Feb 2, 2018 at 3:18 PM, Gareth Williams
> The "SSL/TLS: Certificate Signed Using A Weak Signature Algorithm" test gets
> confused if a server is using (and presumably sends as part of the TLS
> handshake) a Root CA certificate that is signed by a weak algorithm.
> This check should only be valid for subordinate certificate, that is,
> certificates signed by a superior CA. In a self-signed (such as a Root CA)
> the signature algorithm is irrelevant.
The signature is not entirely irrelevant, and a weak digest on a root
CA does make it easier (but perhaps not yet feasible) to attack the
root CA. More problematic is an attack on an intermediate CA due to
certificates using a weak digest.
"SHA-1 shouldn't be trusted past January 2016 because of the
increasing practicality that a well-funded attacker or government
could find a SHA-1 hash collision, allowing them to impersonate any
SSL website." (Paraphrased.)
If you still don't want to trust the NSA and NIST, I think the test is
accurate: They're using old technology that needs to be updated. It's
too bad that that is work, so I suppose it's a good thing you're
> Many organisations still use a SHA1 signed Root CA certificate, and these
> are flagged up during a scan, if the scanned server is configured to send
> the Root CA certificate as part of the chain. Note that sending the Root has
> no security benefit or risk, and is ignored by clients - it is usually due
> to a misconfigured server.
> The 'gb_ssl_weak_hash_algo.nasl' script checks if a certificate is a Root CA
> certificate (by including CAs.inc) but this only checks if the certificate
> is on a predefined list of commercial CAs. I can't add to this list (as far
> as my understanding goes) as the file is signed. In my opinion, the NASL
> should simply check if the Subject and the Issuer are the same. If they
> are, there is no reason to check the signature algorithm.
> This also affects servers that use a single self-signed certificate for TLS.
> While not considered best practice, many do use them. Again, there is no
> reason in flagging the signature algorithm of these self-signed certificates
> as it adds no effective security. A test of Subject is equal to Issuer
> would resolve this too.
> This may have been discussed previously (Google couldn't find it) as I'm new
> to OpenVAS. If it has, please accept my apologies.
Openvas-discuss mailing list