On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote: > We just had our first Tomcat 8.5 installation on a customer's AS/400. > > The customer apparently has his own CA (they're a big company), and when > I installed SSL in their Tomcat, and tested it with a browser, it > complained, something to the general effect of "weak signature algorithm." > > While it's not really my problem (and is only connected to Tomcat by > virtue of it happening with a Tomcat server), I'm curious about what's > up with it, if anybody here is able and willing to explain it.
The beginning of this page might be helpful: https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html Simply: the message is saying that the customer's CA signed this certificate in a way that's not now believed by the browser's authors to be sufficiently secure. I don't know what tools are available in the AS/400 environment, but here's how I would use OpenSSL on Linux to inspect a certificate: $ openssl x509 -noout -text -in /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem Certificate: Data: Version: 1 (0x0) Serial Number: 9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57 Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 Validity Not Before: Oct 1 00:00:00 1999 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G3 etc. The "Signature Algorithm" is what the message is about. Here it says that the certified public key was signed by hashing it with SHA1 and then encrypting the hash with the CA's RSA private key. I just remembered that your browser probably has a way to display details of a certificate, too. BTW that certificate above was issued in 1999, when SHA1 was considered sufficient. Certificates created today should be using a stronger hash. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: PGP signature