Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

James H. H. Lampert
We just had our first Tomcat 8.5 installation on a customer's AS/400.

The customer apparently has his own CA (they're a big company), and when
I installed SSL in their Tomcat, and tested it with a browser, it
complained, something to the general effect of "weak signature algorithm."

While it's not really my problem (and is only connected to Tomcat by
virtue of it happening with a Tomcat server), I'm curious about what's
up with it, if anybody here is able and willing to explain it.

Of course, a customer that's big enough to run a private CA in
production is already doing things beyond my pay grade.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

Robert Turner
You'll want to set the protocols, ciphers, and honorCipherOrder attributes
on either the Connector or the SSLHostConfig objects in your server.xml
file to restrict the available TLS/SSL protocols and ciphers available to
avoid using weak ones.

See the documentation here for details:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support

For example (please pick TLS levels and ciphers for your application --
this may not suit your requirements):

<Connector protocol="HTTP/1.1" port="80" redirectPort="443" />

    <Connector port="443" defaultSSLHostConfigName="my-domain.com"
scheme="https" secure="true" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11AprProtocol">
        <SSLHostConfig
  protocols="+TLSv1.3+TLSv1.2"
  honorCipherOrder="true"

ciphers="HIGH:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES128-SHA"
              hostName="my-domain.com">

            <Certificate
certificateKeyFile="conf/my_domain_com-ECC.private.key"
                         certificateFile="conf/my_domain_com-ECC.pem"

 certificateChainFile="conf/my_domain_com-ECC.intermediate.pem"
                         type="EC"
/>
        </SSLHostConfig>
        <SSLHostConfig protocols="+TLSv1.3+TLSv1.2"
  honorCipherOrder="true"

ciphers="HIGH:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES128-SHA"
              hostName="my-domain.com">
            <Certificate certificateKeyFile="conf/my_domain_com.private.key"
                         certificateFile="conf/my_domain_com.crt"

 certificateChainFile="conf/my_domain_com.intermediate.crt"
                         type="RSA"
/>
        </SSLHostConfig>
    </Connector>


On Wed, Jan 6, 2021 at 6:34 PM James H. H. Lampert <[hidden email]>
wrote:

> We just had our first Tomcat 8.5 installation on a customer's AS/400.
>
> The customer apparently has his own CA (they're a big company), and when
> I installed SSL in their Tomcat, and tested it with a browser, it
> complained, something to the general effect of "weak signature algorithm."
>
> While it's not really my problem (and is only connected to Tomcat by
> virtue of it happening with a Tomcat server), I'm curious about what's
> up with it, if anybody here is able and willing to explain it.
>
> Of course, a customer that's big enough to run a private CA in
> production is already doing things beyond my pay grade.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

James H. H. Lampert
On 1/6/21 3:46 PM, Robert Turner wrote:
> You'll want to set the protocols, ciphers, and honorCipherOrder ...

The precise wording in the error message is:
> . . . but the server presented a certificate signed using a weak
> signature algorithm (such as SHA-1). . . .

Which is to say, it doesn't sound like a cipher or protocol problem, or
anything else that's actually under Tomcat's control.

But I figured somebody here might know something about it.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

logo
In reply to this post by James H. H. Lampert
James,

> Am 07.01.2021 um 00:34 schrieb James H. H. Lampert <[hidden email]>:
>
> ´╗┐We just had our first Tomcat 8.5 installation on a customer's AS/400.
>
> The customer apparently has his own CA (they're a big company), and when I installed SSL in their Tomcat, and tested it with a browser, it complained, something to the general effect of "weak signature algorithm."
>
I guess they never upgraded their CA and still sign the certs with SHA1 or even MD5.

They should change that for sure!

Peter

> While it's not really my problem (and is only connected to Tomcat by virtue of it happening with a Tomcat server), I'm curious about what's up with it, if anybody here is able and willing to explain it.
>
> Of course, a customer that's big enough to run a private CA in production is already doing things beyond my pay grade.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

Mark H. Wood
In reply to this post by James H. H. Lampert
On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote:
> We just had our first Tomcat 8.5 installation on a customer's AS/400.
>
> The customer apparently has his own CA (they're a big company), and when
> I installed SSL in their Tomcat, and tested it with a browser, it
> complained, something to the general effect of "weak signature algorithm."
>
> While it's not really my problem (and is only connected to Tomcat by
> virtue of it happening with a Tomcat server), I'm curious about what's
> up with it, if anybody here is able and willing to explain it.

The beginning of this page might be helpful:
  https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html

Simply:  the message is saying that the customer's CA signed this
certificate in a way that's not now believed by the browser's authors
to be sufficiently secure.

I don't know what tools are available in the AS/400 environment, but
here's how I would use OpenSSL on Linux to inspect a certificate:

  $ openssl x509 -noout -text -in /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
  Certificate:
      Data:
          Version: 1 (0x0)
          Serial Number:
              9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
          Validity
              Not Before: Oct  1 00:00:00 1999 GMT
              Not After : Jul 16 23:59:59 2036 GMT
          Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
etc.

The "Signature Algorithm" is what the message is about.  Here it says
that the certified public key was signed by hashing it with SHA1 and
then encrypting the hash with the CA's RSA private key.

I just remembered that your browser probably has a way to display
details of a certificate, too.

BTW that certificate above was issued in 1999, when SHA1 was
considered sufficient.  Certificates created today should be using a
stronger hash.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

James H. H. Lampert
Thanks to all, for both satisfying my morbid curiosity and verifying
that it's the customer's problem, not mine.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]