Am 27.09.2016 um 09:20 schrieb Michael Mattes:
> Dear Tomcat users
>
> i have the following problem: I am using tomcat 6.0.45 under aix 7.1
> (7100-03-05-1524)
>
> i got the below Finding and my question is how can i fix it: ( ihave no
> experience regarding
> how to handle SSL certificates:
>
> 1.) Can i change something in a config file to fix it
> 2) or have i to use a new certificate. If yes, how do i generate this new
> certificate
>
> Here is the description of the Finding:
>
> An SSL certificate in the certificate chain has been signed using a weak hash
> algorithm.
>
> Description :
>
> The remote service uses an SSL certificate chain that has been signed using a
> cryptographically
> weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature
> algorithms are known to be
> vulnerable to collision attacks. An attacker can exploit this to generate
> another certificate
> with the same digital signature, allowing an attacker to masquerade as the
> affected service.
>
> Note that this plugin reports all SSL certificate chains signed with SHA-1
> that expire after
> January 1, 2017 as vulnerable. This is in accordance with Google's gradual
> sunsetting of the
> SHA-1 cryptographic hash algorithm.
>
>
First: This is a good chance to upgrade: Tomcat 6 faces its end of life
at the end of this year.
Regarding your cryptographical problem, the description gives it away:
There's a gradual deprecation of the SHA-1 hashing algorithm and if you
indeed have such a certificate that claims to be valid for longer than
Jan 1, 2017, then there's nothing other than finding that certificate
and replace it with a better one - nowadays you can't get new ones with
SHA-1 any more (issuance in 2016 is another criterion in the list of
deprecation reasons), so anything that you'd get today from a
certification authority should be fine. If you're generating your own
certificate ("self-signed") make sure you choose a proper hashing algorithm.
You don't mention the Java version you're using: As tomcat 6 is
compatible with Java 5 and up, there's also a good chance that you're
running an old JVM that doesn't support all the current algorithms -
this might be another part of your stack to upgrade in order to solve
your problem.
With regards to generating a new certificate: It depends: Do you need a
self-signed cert? Do you need a trusted one? Either way, the machine
connecting to the server using your new cert will need to trust its
issuer (you or a certification authority). Explaining this, with all its
nuances is a bit too much for a mailing list answer. There are numerous
tutorials, step by step instructions and explanations available on the
web - you'll need to search for it and insert your personal requirements
and situation.
Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
