You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2020/10/08 07:49:00 UTC
[jira] [Comment Edited] (OFBIZ-12028) warning of sha-1
[ https://issues.apache.org/jira/browse/OFBIZ-12028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17209439#comment-17209439 ]
Jacques Le Roux edited comment on OFBIZ-12028 at 10/8/20, 7:48 AM:
-------------------------------------------------------------------
Oops, F12 "the browser's console" of course, I thought about OFBiz console/logs :/
This is only when you use locahost as server because we have a very simple embedded self signed certificate (see *.jks files and OFBIZ-9659). We recommend to use Letsencrypt for your servers.
BTW somehow related we also still use SHA-1 internally for some encoding,
We don't worry about that yet, see https://markmail.org/message/vtwktynlecx7lczl and OFBIZ-9150
In case this can reassure you: https://www.keylength.com/en/4/ , quoting:
bq. (2) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2020, the security strength against digital signature collisions remains a subject of speculation.
I close as "not a problem"
was (Author: jacques.le.roux):
Oops, F12 "the browser's console" of course, I thought about OFBiz console/logs :/
This is only when you use locahost has server because we have a very simple embedded self signed certificate (see *.jks files and OFBIZ-9659). We recommend to use Letsencrypt for your servers.
BTW somehow related we also still use SHA-1 internally for some encoding,
We don't worry about that yet, see https://markmail.org/message/vtwktynlecx7lczl and OFBIZ-9150
In case this can reassure you: https://www.keylength.com/en/4/ , quoting:
bq. (2) SHA-1 has been demonstrated to provide less than 80 bits of security for digital signatures, which require collision resistance. In 2020, the security strength against digital signature collisions remains a subject of speculation.
I close as "not a problem"
> warning of sha-1
> ----------------
>
> Key: OFBIZ-12028
> URL: https://issues.apache.org/jira/browse/OFBIZ-12028
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Alex Bodnaru
> Assignee: Jacques Le Roux
> Priority: Major
>
> this warning is cluttering the console, potentially hiding more relevant warnings/errors.
> This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1
> maybe some configuration will help choosing another algo?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)