On Thu, Mar 26, 2015 at 2:32 PM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote:
> Egor, > > On 26.3.2015 21:23, Mark Thomas wrote: > >> On 26/03/2015 17:30, Egor Philippov wrote: >> >>> Anyone familiar with the warning or know >>> whether it represents a real security problem? >>> >> >> That depends on your definition of 'real'. I'm not aware of any viable >> attacks but general opinion is that now is the time to take action. >> >> Check your server certificate. The most likely explanation is that it >> has a SHA-1 signature. Your CA should be able to provide you with a >> replacement with a more secure signature. I know the CAs the ASF uses >> have been offering this for 6 months or more. >> > > +1 > > More info here: > > https://community.qualys.com/blogs/securitylabs/2014/09/09/ > sha1-deprecation-what-you-need-to-know > > -Ognjen ( disclaimer: I'm no cryptography expert and the findings below are not my own, but are instead based on the research done by our most senior dev. I'm merely trying to pass on the knowledge here. ) I've managed to reach closure for this problem today. No, the certificate itself was not a problem although we do use a self-signed certificate with a SHA256 signature for this particular app. According to http://security.stackexchange.com/questions/83831/google-chrome-your-connection-to-website-is-encrypted-with-obsolete-cryptograph, for Chrome: "Modern cryptography = TLS 1.2 or QUIC (protocol) + AES_128_GCM or CHACHA20_POLY1305 (cipher) + DHE_RSA or ECDHE_RSA or ECDHE_ECDSA (key exchange)." When running Tomcat without the APR connector, as we do, the cipher suites that ship with the JRE are used. We were running Tomcat on JRE 7 which does not ship with any GCM ciphers. JRE 8 does ship with some GCM cipher suites according to http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html. As such, after we've transitioned to running Tomcat on top of JRE 8, Chrome now reports that we're using 'modern cryptography'. :D
