Vulnerability detected: SSL Certificate Signed Using Weak Hashing Algorithm
Article ID: 264227
Updated On:
Products
Issue/Introduction
When running a vulnerability scan of Messaging Gateway (SMG) the scan returns a warning that the TLS / SSL certificate used by the Control Center web application server has been signed with a weak hashing algorithm.
The remote service uses an SSL certificate chain that has been signed with a cryptographically weak hash algorithm (for example, MD2, MD4, MD5, or SHA1). It is known that these signature algorithms
are vulnerable to collision attacks. An attacker might exploit this to generate another certificate with the same digital signature, allowing it to impersonate the affected service.
Note that this plugin reports that all SSL certificate chains signed with SHA-1 files that expire after January 1, 2017 are vulnerable. This agrees with extinction
Google's gradual SHA-1 cryptographic hash algorithm.
Environment
Release : 10.8.0
Cause
Messaging Gateway ships with a default, demo certificate which is intended for temporary use while a third party signed certificate is obtained for use in securing communication with the Control Center web application. This sample certificate is currently signed with the SHA1 hash algorithm which is now considered insecure and will raise an alert during more recent vulnerability scans.
Resolution
This issue may be addressed by replacing the sample, self-signed certificate with a new certificate signed by either a third party certificate authority or a certificate generated and signed by your organization's internal certificate authority.
Instructions for adding certificates may be found in the product documentation linked from the Administration > Certificates page in the Control Center.
Once the updated certificate has been added to Administration > Certificates, the Control Center web application certificate can be configured in Administration > Control Center > Certificates
Feedback
