Re: Browser complains of "weak signature algorithm" in cert on a new Tomcat installation. Does anybody here know anything about that sort of thing

[Mark H. Wood]

On Wed, Jan 06, 2021 at 03:34:17PM -0800, James H. H. Lampert wrote:
> We just had our first Tomcat 8.5 installation on a customer's AS/400.
> 
> The customer apparently has his own CA (they're a big company), and when 
> I installed SSL in their Tomcat, and tested it with a browser, it 
> complained, something to the general effect of "weak signature algorithm."
> 
> While it's not really my problem (and is only connected to Tomcat by 
> virtue of it happening with a Tomcat server), I'm curious about what's 
> up with it, if anybody here is able and willing to explain it.

The beginning of this page might be helpful:
  
https://frasertweedale.github.io/blog-redhat/posts/2017-11-10-freeipa-changing-signature-algorithm.html

Simply:  the message is saying that the customer's CA signed this
certificate in a way that's not now believed by the browser's authors
to be sufficiently secure.

I don't know what tools are available in the AS/400 environment, but
here's how I would use OpenSSL on Linux to inspect a certificate:

  $ openssl x509 -noout -text -in 
/etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem 
  Certificate:
      Data:
          Version: 1 (0x0)
          Serial Number:
              9b:7e:06:49:a3:3e:62:b9:d5:ee:90:48:71:29:ef:57
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU 
= "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 
Public Primary Certification Authority - G3
          Validity
              Not Before: Oct  1 00:00:00 1999 GMT
              Not After : Jul 16 23:59:59 2036 GMT
          Subject: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, 
OU = "(c) 1999 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 
Public Primary Certification Authority - G3
etc.

The "Signature Algorithm" is what the message is about.  Here it says
that the certified public key was signed by hashing it with SHA1 and
then encrypting the hash with the CA's RSA private key.

I just remembered that your browser probably has a way to display
details of a certificate, too.

BTW that certificate above was issued in 1999, when SHA1 was
considered sufficient.  Certificates created today should be using a
stronger hash.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

signature.asc
Description: PGP signature