ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Impact on the ProxySG appliance when SHA-1 certificate is deprecated

book

Article ID: 168823

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Microsoft and Google have shared timelines for their deprecation of SHA1:

https://support.globalsign.com/customer/portal/articles/1447169

There is no impact on the ProxySG appliance because the appliance ships with other ciphers (including SHA256, which will replace SHA1).

 

Resolution

You can also remove the SHA1 cipher from the sppliance so that it does not use the depreciated cipher, as follows:

  1. Log in to the Management Console and select Configuration > SSL > Device Profiles.
  2. Select the default profile and click Edit.
  3. On the dialog, click Edit Ciphers. Remove all SHA1 ciphers and click OK.
  4. Click OK, and then click Apply to save changes.

You can also accomplish this using gthe CLI:

Example below:

SG300 Series#config terminal
SG300 Series#(config)ssl
SG300 Series#(config ssl)
SG300 Series#(config ssl)edit ssl-client 
SG300 Series#(config ssl)edit ssl-client default
SG300 Series#(config ssl ssl-client default)cipher-suite ?
 [<cipher-suite>]+
 <Enter>
SG300 Series#(config ssl ssl-client default)cipher-suite "ECDHE-RSA-AES256-SHA384"
  ok
SG300 Series#(config ssl ssl-client default)

 

 

Note: You can take a packet capture and observe the "Client Hello" of the server-side connection where the appliance sends the list of supported ciphers to the server. The OCS should use its supported ciphers and proceed with the SSL handshake.

Powered by Wolken Software