Monday, February 1. 2010
SSL-Certificates with SHA256 signature
At least since 2005 it's well known that the cryptographic hash function SHA1 is seriously flawed and it's only a matter of time until it will be broken. However, it's still widely used and it can be expected that it'll be used long enough to allow real world attacks (as it happened with MD5 before). The NIST (the US National Institute of Standards and Technology) suggests not to use SHA1 after 2010, the german BSI (Bundesamt für Sicherheit in der Informationstechnik) says they should've been fadet out by the end of 2009.
The probably most widely used encryption protocol is SSL. It is a protocol that can operate on top of many other internet protocols and is for example widely used for banking accounts.
As SSL is a pretty complex protocol, it needs hash functions at various places, here I'm just looking at one of them. The signatures created by the certificate authorities. Every SSL certificate is signed by a CA, even if you generate SSL certificates yourself, they are self-signed, meaning that the certificate itself is it's own CA. From what I know, despite the suggestions mentioned above no big CA will give you certificates signed with anything better than SHA1. You can check this with:
openssl x509 -text -in [your ssl certificate]
Look for "Signature Algorithm". It'll most likely say sha1WithRSAEncryption. If your CA is good, it'll show sha256WithRSAEncryption. If your CA is really bad, it may show md5WithRSAEncryption.
When asking for SHA256 support, you often get the answer that the software still has problems, it's not ready yet. When asking for more information I never got answers. So I tried it myself. On an up-to-date apache webserver with mod_ssl, it was no problem to install a SHA256 signed certificate based on a SHA256 signed test CA. All browsers I've tried (Firefox 3.6, Konqueror 4.3.5, Opera 10.10, IE8 and even IE6) had no problem with it. You can check it out at https://sha2.hboeck.de/. You will get a certificate warning (obviously, as it's signed by my own test CA), but you'll be able to view the page. If you want to test it without warnings, you can also import the CA certificate.
I'd be interested if this causes any problems (on server or on client side), so please leave a comment if you are aware of any incompatibilities.
Update: By request in the comments, I've also created a SHA512 testcase.
Update 2: StartSSL wrote me that they tried providing SHA256-certificates about a year ago and had too many problems - it wasn't very specific but they mentioned that earlier Windows XP and Windows 2003 Server versions may have problems.
The probably most widely used encryption protocol is SSL. It is a protocol that can operate on top of many other internet protocols and is for example widely used for banking accounts.
As SSL is a pretty complex protocol, it needs hash functions at various places, here I'm just looking at one of them. The signatures created by the certificate authorities. Every SSL certificate is signed by a CA, even if you generate SSL certificates yourself, they are self-signed, meaning that the certificate itself is it's own CA. From what I know, despite the suggestions mentioned above no big CA will give you certificates signed with anything better than SHA1. You can check this with:
openssl x509 -text -in [your ssl certificate]
Look for "Signature Algorithm". It'll most likely say sha1WithRSAEncryption. If your CA is good, it'll show sha256WithRSAEncryption. If your CA is really bad, it may show md5WithRSAEncryption.
When asking for SHA256 support, you often get the answer that the software still has problems, it's not ready yet. When asking for more information I never got answers. So I tried it myself. On an up-to-date apache webserver with mod_ssl, it was no problem to install a SHA256 signed certificate based on a SHA256 signed test CA. All browsers I've tried (Firefox 3.6, Konqueror 4.3.5, Opera 10.10, IE8 and even IE6) had no problem with it. You can check it out at https://sha2.hboeck.de/. You will get a certificate warning (obviously, as it's signed by my own test CA), but you'll be able to view the page. If you want to test it without warnings, you can also import the CA certificate.
I'd be interested if this causes any problems (on server or on client side), so please leave a comment if you are aware of any incompatibilities.
Update: By request in the comments, I've also created a SHA512 testcase.
Update 2: StartSSL wrote me that they tried providing SHA256-certificates about a year ago and had too many problems - it wasn't very specific but they mentioned that earlier Windows XP and Windows 2003 Server versions may have problems.
Comments
Display comments as
(Linear | Threaded)
Thanks for testing this. I wondered about the same since I had the same problem. I suspect that this > then sha1 incompatibility is just something that gets carried on inside some long untouched config files or man pages for http daemons.
Your site works also with Links 2.2 and Chromium 5.0.308.0 (37385).
I wonder, why not use sha384 or sha512? Did you think of testing those as well?
Your site works also with Links 2.2 and Chromium 5.0.308.0 (37385).
I wonder, why not use sha384 or sha512? Did you think of testing those as well?
Fuck the CA mafia, everyone should use monkeysphere-style web of trust for HTTPS.
could you please make a wiki on it (sha256 instead of sha1),
like : http://fr.gentoo-wiki.com/wiki/Apache2/Certificats_SSL
see you
Loux
like : http://fr.gentoo-wiki.com/wiki/Apache2/Certificats_SSL
see you
Loux
To reproduce a potential problem:
1) Visit the page with Mozilla Firefox 3.6, granting your browser a temporary security exception
2) Click on the lock in the bottom right corner of the browser window
3) Click "View certificate"
Result: there is no word "SHA256" displayed in the default tab of the certificate window.
4) Click on the "CA root cert" link, view the certficate.
Result: again, there is no word "SHA256" in the default tab. One can only compare MD5 and SHA-1 fingerprints with values obtained, say, from you by phone. I don't know if this is good enough.
1) Visit the page with Mozilla Firefox 3.6, granting your browser a temporary security exception
2) Click on the lock in the bottom right corner of the browser window
3) Click "View certificate"
Result: there is no word "SHA256" displayed in the default tab of the certificate window.
4) Click on the "CA root cert" link, view the certficate.
Result: again, there is no word "SHA256" in the default tab. One can only compare MD5 and SHA-1 fingerprints with values obtained, say, from you by phone. I don't know if this is good enough.
As I said, hash functions are used at different places in SSL. The one you mention, the fingerprint, is unrelated to the signing algorithm, so there's no problem (although it might be worth working on that as well).
Both SHA256 and SHA512 seem to work with Firefox 1.0 and Konqueror 4.0.3.
I am running Windows 2003 SP2 bought at the same day it was released and have no problem (off course, the Service Pack was applied latter...). Don't know if any of the Service Packs fixed the issue.
Both SHA256 and SHA512 worked.
Both SHA256 and SHA512 worked.
When I browse to your sha512 testcase (using google chrome on osx 10.6.2) the certificate info reports "SHA-1 with RSA Encryption", instead of the expected sha512.
Maybe there's a mistake in your web server config?
Btw in my point of view people should just start to use sha256/sha512 signed certificates, no matter if it doesn't work on windows machines ... otherwise they'll never implement these features in their OS. Everybody just simply put some pressure on the guys.
Maybe there's a mistake in your web server config?
Btw in my point of view people should just start to use sha256/sha512 signed certificates, no matter if it doesn't work on windows machines ... otherwise they'll never implement these features in their OS. Everybody just simply put some pressure on the guys.
Hi, no, not a mistake in my web server config, your system doesn't support SNI (several SSL certificates on one IP).
One more testcase. Works on WinXP+SP2 with IE7, Opera 10 and FF 3.6
I think the test would be much more convincing if there was a CA, that one could configure to trust, so that we'd be really checking that the path is properly verified. The CAPI used by microsoft can manipulate a cert even when it can't verify it's signature, and that all what is done here as soon as the path isn't verified.
XP/SP3 is the minimum required to use SHA-256 with IE, I believe those who reported succes with SP2 were not actually exerting the use of SHA256 since by clicking trough they were just blindly accepting a cert without any verification.
XP/SP3 is the minimum required to use SHA-256 with IE, I believe those who reported succes with SP2 were not actually exerting the use of SHA256 since by clicking trough they were just blindly accepting a cert without any verification.
> I think the test would be much more convincing if there was
> a CA, that one could configure to trust, so that we'd be
> really checking that the path is properly verified.
I have placed the root cert on the page, you can import it:
http://sha2.hboeck.de/sha2.crt
> a CA, that one could configure to trust, so that we'd be
> really checking that the path is properly verified.
I have placed the root cert on the page, you can import it:
http://sha2.hboeck.de/sha2.crt
The https://sha2.hboeck.de/ works fine with me.
But on https://sha512.hboeck.de/ I am getting a certificate issued to *.shokokeks.org using SHA1 (3 hierarchy chain up to a different root).
But on https://sha512.hboeck.de/ I am getting a certificate issued to *.shokokeks.org using SHA1 (3 hierarchy chain up to a different root).
So are there any CAs offering SHA256 signed certificates?
It seems all the CAs I've checked have SHA256 keys in their root stores, but they aren't actually being used yet to sign SSL certs.
It seems all the CAs I've checked have SHA256 keys in their root stores, but they aren't actually being used yet to sign SSL certs.
I know this is old but sine I got a hit on SHA256 signature algorithm thought I would add this for others. Some older programs do have issues with this. Currently we have a problem with weblogic 10.3.x (inour case 10.3.6) can't read CA files with SHA256 and has to have JSSE enable to read a server cert (from a outbound request). Just an FYI.
Tracked: Feb 06, 01:42