You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2020/10/08 07:49:00 UTC

[jira] [Comment Edited] (OFBIZ-12028) warning of sha-1

    [ https://issues.apache.org/jira/browse/OFBIZ-12028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17209439#comment-17209439 ] 

Jacques Le Roux edited comment on OFBIZ-12028 at 10/8/20, 7:48 AM:
-------------------------------------------------------------------

Oops, F12 "the browser's console" of course, I thought about OFBiz console/logs :/

This is only when you use locahost as server because we have a very simple embedded self signed certificate (see *.jks files and OFBIZ-9659). We recommend to use Letsencrypt for your servers.

BTW somehow related we also still use SHA-1 internally for some encoding, 
We don't worry about that yet, see https://markmail.org/message/vtwktynlecx7lczl and OFBIZ-9150
In case this can reassure you: https://www.keylength.com/en/4/ , quoting:
bq.  	(2) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2020, the security strength against digital signature collisions remains a subject of speculation.

I close as "not a problem"




was (Author: jacques.le.roux):
Oops, F12 "the browser's console" of course, I thought about OFBiz console/logs :/

This is only when you use locahost has server because we have a very simple embedded self signed certificate (see *.jks files and OFBIZ-9659). We recommend to use Letsencrypt for your servers.

BTW somehow related we also still use SHA-1 internally for some encoding, 
We don't worry about that yet, see https://markmail.org/message/vtwktynlecx7lczl and OFBIZ-9150
In case this can reassure you: https://www.keylength.com/en/4/ , quoting:
bq.  	(2) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2020, the security strength against digital signature collisions remains a subject of speculation.

I close as "not a problem"



> warning of sha-1
> ----------------
>
>                 Key: OFBIZ-12028
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12028
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL COMPONENTS
>    Affects Versions: Trunk
>            Reporter: Alex Bodnaru
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> this warning is cluttering the console, potentially hiding more relevant warnings/errors.
> This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1
> maybe some configuration will help choosing another algo?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)