Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Confused about SHA1 in Certs and upcoming changes in browsers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Confused about SHA1 in Certs and upcoming changes in browsers
I am confused by the upcoming changes involving browsers and the use of SHA1 vs SHA256.

1) Our current certs list a SHA1 Fingerprint and a SHA256 PIN. Does this mean they won't work when browsers turn off SHA1?

2) Is there a testing tool that is pre-set for the upcoming changes that I could use to test against our sites to see if browsers will be able to connect to them after SHA1 is sunsetted?

Thanks,
Dana McLaughlin
Dana

1 Posts
1) Our current certs list a SHA1 Fingerprint and a SHA256 PIN. Does this mean they won't work when browsers turn off SHA1?

My understanding is that certificates with ONLY SHA-1-based signatures (except trusted root certificates) won't work. When we replaced our SSL certs with SHA-2 versions there was a SHA1 and SHA2 fingerprint present so I am guessing this is normal. I am open to correction, but they did pass testing with SSLLabs so we are pretty confident they will work without issue next year.


2) Is there a testing tool that is pre-set for the upcoming changes that I could use to test against our sites to see if browsers will be able to connect to them after SHA1 is sunsetted?

There is the development version of SSL Labs that you could look at: https://dev.ssllabs.com/ssltest. It contains the new grading for 2017 including SHA1 deprecation. A full list of changes is available here: https://blog.qualys.com/ssllabs/2016/11/16/announcing-ssl-labs-grading-changes-for-2017.

Regards,

Nigel.
Nigel

1 Posts
In some browsers (for example Safari), you can turn off support for SHA-1 signatures in your browsers. That, and ssllabs.com, is probably the easiest way to test your sites. Johannes

3085 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!