You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "James H. H. Lampert" <ja...@touchtonecorp.com> on 2021/01/06 23:34:17 UTC
Browser complains of "weak signature algorithm" in cert on a new
Tomcat installation. Does anybody here know anything about that sort of thing
We just had our first Tomcat 8.5 installation on a customer's AS/400.
The customer apparently has his own CA (they're a big company), and when
I installed SSL in their Tomcat, and tested it with a browser, it
complained, something to the general effect of "weak signature algorithm."
While it's not really my problem (and is only connected to Tomcat by
virtue of it happening with a Tomcat server), I'm curious about what's
up with it, if anybody here is able and willing to explain it.
Of course, a customer that's big enough to run a private CA in
production is already doing things beyond my pay grade.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new
Tomcat installation. Does anybody here know anything about that sort of thing
Posted by Peter Kreuser <lo...@kreuser.name>.
James,
> Am 07.01.2021 um 00:34 schrieb James H. H. Lampert <ja...@touchtonecorp.com>:
>
> We just had our first Tomcat 8.5 installation on a customer's AS/400.
>
> The customer apparently has his own CA (they're a big company), and when I installed SSL in their Tomcat, and tested it with a browser, it complained, something to the general effect of "weak signature algorithm."
>
I guess they never upgraded their CA and still sign the certs with SHA1 or even MD5.
They should change that for sure!
Peter
> While it's not really my problem (and is only connected to Tomcat by virtue of it happening with a Tomcat server), I'm curious about what's up with it, if anybody here is able and willing to explain it.
>
> Of course, a customer that's big enough to run a private CA in production is already doing things beyond my pay grade.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new
Tomcat installation. Does anybody here know anything about that sort of thing
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
On 1/6/21 3:46 PM, Robert Turner wrote:
> You'll want to set the protocols, ciphers, and honorCipherOrder ...
The precise wording in the error message is:
> . . . but the server presented a certificate signed using a weak
> signature algorithm (such as SHA-1). . . .
Which is to say, it doesn't sound like a cipher or protocol problem, or
anything else that's actually under Tomcat's control.
But I figured somebody here might know something about it.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new
Tomcat installation. Does anybody here know anything about that sort of thing
Posted by Robert Turner <rt...@e-djuster.ca>.
You'll want to set the protocols, ciphers, and honorCipherOrder attributes
on either the Connector or the SSLHostConfig objects in your server.xml
file to restrict the available TLS/SSL protocols and ciphers available to
avoid using weak ones.
See the documentation here for details:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support
For example (please pick TLS levels and ciphers for your application --
this may not suit your requirements):
<Connector protocol="HTTP/1.1" port="80" redirectPort="443" />
<Connector port="443" defaultSSLHostConfigName="my-domain.com"
scheme="https" secure="true" SSLEnabled="true"
protocol="org.apache.coyote.http11.Http11AprProtocol">
<SSLHostConfig
protocols="+TLSv1.3+TLSv1.2"
honorCipherOrder="true"
ciphers="HIGH:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES128-SHA"
hostName="my-domain.com">
<Certificate
certificateKeyFile="conf/my_domain_com-ECC.private.key"
certificateFile="conf/my_domain_com-ECC.pem"
certificateChainFile="conf/my_domain_com-ECC.intermediate.pem"
type="EC"
/>
</SSLHostConfig>
<SSLHostConfig protocols="+TLSv1.3+TLSv1.2"
honorCipherOrder="true"
ciphers="HIGH:!CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:!ECDHE-RSA-AES256-SHA384:!DHE-RSA-AES256-SHA256:!ECDHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-AES256-SHA:!ECDHE-ECDSA-AES128-SHA"
hostName="my-domain.com">
<Certificate certificateKeyFile="conf/my_domain_com.private.key"
certificateFile="conf/my_domain_com.crt"
certificateChainFile="conf/my_domain_com.intermediate.crt"
type="RSA"
/>
</SSLHostConfig>
</Connector>
On Wed, Jan 6, 2021 at 6:34 PM James H. H. Lampert <ja...@touchtonecorp.com>
wrote:
> We just had our first Tomcat 8.5 installation on a customer's AS/400.
>
> The customer apparently has his own CA (they're a big company), and when
> I installed SSL in their Tomcat, and tested it with a browser, it
> complained, something to the general effect of "weak signature algorithm."
>
> While it's not really my problem (and is only connected to Tomcat by
> virtue of it happening with a Tomcat server), I'm curious about what's
> up with it, if anybody here is able and willing to explain it.
>
> Of course, a customer that's big enough to run a private CA in
> production is already doing things beyond my pay grade.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Browser complains of "weak signature algorithm" in cert on a new
Tomcat installation. Does anybody here know anything about that sort of thing
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com>.
Thanks to all, for both satisfying my morbid curiosity and verifying
that it's the customer's problem, not mine.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Browser complains of "weak signature algorithm" in cert on a new
Tomcat installation. Does anybody here know anything about that sort of
thing
Posted by "Mark H. Wood" <mw...@iupui.edu>.
On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote:
> We just had our first Tomcat 8.5 installation on a customer's AS/400.
>
> The customer apparently has his own CA (they're a big company), and when
> I installed SSL in their Tomcat, and tested it with a browser, it
> complained, something to the general effect of "weak signature algorithm."
>
> While it's not really my problem (and is only connected to Tomcat by
> virtue of it happening with a Tomcat server), I'm curious about what's
> up with it, if anybody here is able and willing to explain it.
The beginning of this page might be helpful:
https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html
Simply: the message is saying that the customer's CA signed this
certificate in a way that's not now believed by the browser's authors
to be sufficiently secure.
I don't know what tools are available in the AS/400 environment, but
here's how I would use OpenSSL on Linux to inspect a certificate:
$ openssl x509 -noout -text -in /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
Validity
Not Before: Oct 1 00:00:00 1999 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3
etc.
The "Signature Algorithm" is what the message is about. Here it says
that the certified public key was signed by hashing it with SHA1 and
then encrypting the hash with the CA's RSA private key.
I just remembered that your browser probably has a way to display
details of a certificate, too.
BTW that certificate above was issued in 1999, when SHA1 was
considered sufficient. Certificates created today should be using a
stronger hash.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu