Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
Thanks to all, for both satisfying my morbid curiosity and verifying that it's the customer's problem, not mine. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote: > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when > I installed SSL in their Tomcat, and tested it with a browser, it > complained, something to the general effect of "weak signature algorithm." > > While it's not really my problem (and is only connected to Tomcat by > virtue of it happening with a Tomcat server), I'm curious about what's > up with it, if anybody here is able and willing to explain it. The beginning of this page might be helpful: https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html Simply: the message is saying that the customer's CA signed this certificate in a way that's not now believed by the browser's authors to be sufficiently secure. I don't know what tools are available in the AS/400 environment, but here's how I would use OpenSSL on Linux to inspect a certificate: $ openssl x509 -noout -text -in /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem Certificate: Data: Version: 1 (0x0) Serial Number: 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 Validity Not Before: Oct 1 00:00:00 1999 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 etc. The "Signature Algorithm" is what the message is about. Here it says that the certified public key was signed by hashing it with SHA1 and then encrypting the hash with the CA's RSA private key. I just remembered that your browser probably has a way to display details of a certificate, too. BTW that certificate above was issued in 1999, when SHA1 was considered sufficient. Certificates created today should be using a stronger hash. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
James, > Am 07.01.2021 um 00:34 schrieb James H. H. Lampert : > > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when I > installed SSL in their Tomcat, and tested it with a browser, it complained, > something to the general effect of "weak signature algorithm." > I guess they never upgraded their CA and still sign the certs with SHA1 or even MD5. They should change that for sure! Peter > While it's not really my problem (and is only connected to Tomcat by virtue > of it happening with a Tomcat server), I'm curious about what's up with it, > if anybody here is able and willing to explain it. > > Of course, a customer that's big enough to run a private CA in production is > already doing things beyond my pay grade. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
On 1/6/21 3:46 PM, Robert Turner wrote: You'll want to set the protocols, ciphers, and honorCipherOrder ... The precise wording in the error message is: . . . but the server presented a certificate signed using a weak signature algorithm (such as SHA-1). . . . Which is to say, it doesn't sound like a cipher or protocol problem, or anything else that's actually under Tomcat's control. But I figured somebody here might know something about it. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
You'll want to set the protocols, ciphers, and honorCipherOrder attributes on either the Connector or the SSLHostConfig objects in your server.xml file to restrict the available TLS/SSL protocols and ciphers available to avoid using weak ones. See the documentation here for details: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support For example (please pick TLS levels and ciphers for your application -- this may not suit your requirements): On Wed, Jan 6, 2021 at 6:34 PM James H. H. Lampert wrote: > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when > I installed SSL in their Tomcat, and tested it with a browser, it > complained, something to the general effect of "weak signature algorithm." > > While it's not really my problem (and is only connected to Tomcat by > virtue of it happening with a Tomcat server), I'm curious about what's > up with it, if anybody here is able and willing to explain it. > > Of course, a customer that's big enough to run a private CA in > production is already doing things beyond my pay grade. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing
We just had our first Tomcat 8.5 installation on a customer's AS/400. The customer apparently has his own CA (they're a big company), and when I installed SSL in their Tomcat, and tested it with a browser, it complained, something to the general effect of "weak signature algorithm." While it's not really my problem (and is only connected to Tomcat by virtue of it happening with a Tomcat server), I'm curious about what's up with it, if anybody here is able and willing to explain it. Of course, a customer that's big enough to run a private CA in production is already doing things beyond my pay grade. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org