Not using SHA-1 Certificate for self-signed SSL

NotionCommotion · 05-16-2015, 02:43 PM

Firebug displays the following error when viewing my site:

Quote:

This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.

My approach to generate self-signed SSL keys is shown below. I didn't think I was using SHA-1, but thought I was using SHA-256.

What should I do to eliminate this warning?

Thank you

Code:

# generate mysite.coms's RSA keypair with 3072 bits and encrypt it
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -aes-128-cbc -out mysite_key.pem

# generate a certificate signing request.  Used FQDN of server (i.e. mysite.com).  Use email with dot to prevent spam.  Didn't include an "extra" password
openssl req -new -key mysite_key.pem -sha256 -days 365 -out mysite_csr.pem

# Remove pass-phrase from the key
cp mysite_key.pem mysite_key.pem.tmp
openssl rsa -in mysite_key.pem.tmp -out mysite_key.pem
rm -f mysite_key.pem.tmp

# sign the certificate with the key itself.  Skip this step if using a CA
openssl x509 -req -in mysite_csr.pem -signkey mysite_key.pem -sha256 -days 365 -out mysite_crt.pem

# Copy the files to the correct locations (don't move since it will cause problems with selinux). Be sure to keep at read only by root
cp mysite_key.pem /etc/pki/tls/private/mysite_key.pem
cp mysite_csr.pem /etc/pki/tls/private/mysite_csr.pem
cp mysite_crt.pem /etc/pki/tls/certs/mysite_crt.pem
rm -f mysite_key.pem
rm -f mysite_csr.pem
rm -f mysite_crt.pem

# update /etc/httpd/conf.d/ssl.conf as follows:
# SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem
# SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem

/etc/init.d/httpd restart

Pearlseattle · 05-17-2015, 09:22 AM

Hi
Just writing without thinking:
Do you have by chance something like this in the config of your vhost (if you're using Apache)?

Code:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

If it's similar you could try replacing it with something more restrictive like:

Code:

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5

NotionCommotion · 05-17-2015, 10:57 AM

Quote:

Originally Posted by Pearlseattle

Hi
Just writing without thinking:
Do you have by chance something like this in the config of your vhost (if you're using Apache)?

Code:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

If it's similar you could try replacing it with something more restrictive like:

Code:

SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5

Hi Pearlseattle, I had the following in /etc/httpd/conf.d/ssl.conf, and changed it to your recommended script, but no change. Not positive, but think the problem is the certificate and not the Apache configuration.

Code:

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Pearlseattle · 05-17-2015, 11:05 AM

Sorry, it was just a shot in the dark

Could you please tell me where exactly you see the warning/message in Firebug (I activated it against my site but didn't see anthing, but I have a cert signed externally by godaddy)? Does the warning show up immediately after activating the Firebug lower "frame" in Firefox?

NotionCommotion · 05-17-2015, 11:41 AM

Hello again. It shows the message every time a page is loaded. If the site has any GET/POST requests, it shows it every time and I sometimes have over ten warnings on a page load. I couldn't figure out how to add an image on this forum, but included a link http://s24.postimg.org/9qe6wwk79/firebug.png.

Thanks!

Pearlseattle · 05-17-2015, 12:15 PM

Thank you.
Before that we start doing some too-deep testing etc..., can you post as well the configuration (at least the main parts) of your vhost-apache-config-file that your site is using?
(anonymize names of files, host, etc...)

NotionCommotion · 05-17-2015, 02:49 PM

Quote:

Originally Posted by Pearlseattle

Thank you.
Before that we start doing some too-deep testing etc..., can you post as well the configuration (at least the main parts) of your vhost-apache-config-file that your site is using?
(anonymize names of files, host, etc...)

Lot of stuff! I deleted most of the comments to shorten it.

Also, looks like my certificate is sha256, no?

Code:

[root@devserver ~]# openssl req -in /etc/pki/tls/private/mysite_csr.pem -noout -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Washington, L=Bothell, O=MySite, CN=mysite.com/emailAddress=xxx@comcastdotnet
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    xxxx
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         xxxx
[root@devserver ~]#

Code:

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

ServerTokens OS
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100

KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
## 

<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000
</IfModule>

<IfModule worker.c>
StartServers         4
MaxClients         300
MinSpareThreads     25
MaxSpareThreads     75 
ThreadsPerChild     25
MaxRequestsPerChild  0
</IfModule>

Listen 80

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so

# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf

#ExtendedStatus On

User apache
Group apache

### Section 2: 'Main' server configuration
ServerAdmin root@localhost

ServerName www.example.com:80
#ServerName www.mysite.com:80

UseCanonicalName Off

DocumentRoot "/var/www/html"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/var/www/html">

    Options Indexes FollowSymLinks
    AllowOverride None

    Order allow,deny
    Allow from all

</Directory>

<IfModule mod_userdir.c>
    UserDir disabled
    #UserDir public_html

</IfModule>

DirectoryIndex index.html index.html.var

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
#   MIMEMagicFile /usr/share/magic.mime
    MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

#EnableMMAP off

EnableSendfile off

ErrorLog logs/error_log

LogLevel warn
LogFormat "h l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log combined

ServerSignature On

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DAVLockDB /var/lib/dav/lockdb
</IfModule>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

#AddType application/x-tar .tgz

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

AddHandler type-map var

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>

</IfModule>
</IfModule>

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully


### Section 3: Virtual Hosts
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
    #Redirect everything to HTTPS (except machine and testing virtualhost.
    ServerName mysite.com
    ServerAlias *.mysite.com
    RewriteEngine on
    RewriteCond %{HTTPS} !=on
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>


<VirtualHost *:443>
    # Sites(front and back) Server: sitename.sites.mysite.com
    ServerName mysite.com
    ServerAlias *.sites.mysite.com
    # ServerSignature Off
    ErrorDocument 404 /error-404.html
    DocumentRoot /var/www/mysite/html_sites
    
    XSendFile On
    XSendFilePath /var/www/mysite/user_resources

    SSLEngine on   
    # SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5

    #SSLProtocol all -SSLv2 -SSLv3 (done in main ssl.conf file)

    SSLCertificateKeyFile /etc/pki/tls/private/mysite_key.pem

    SSLCertificateFile /etc/pki/tls/certs/mysite_crt.pem

    <Directory "/var/www/mysite/html_sites">

        allow from all
        Options +Indexes

        RewriteEngine On

        RewriteBase /

        # Remove multi-level subdomains bad.goodsite.sites.mysite.com
        RewriteCond %{HTTP_HOST} .+\.((.+)\.(.+)\.(.+)\.(.+))$ 
        RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301]
        # RewriteRule ^ http://mysite.com [L,R=301]

        # If the request is for a valid directory, file, or link, don't do anything
        RewriteCond %{REQUEST_FILENAME} -d [OR]
        RewriteCond %{REQUEST_FILENAME} -f [OR]
        RewriteCond %{REQUEST_FILENAME} -l
        RewriteRule ^ - [L]

        #remove the trailing slash
        # RewriteRule (.+)/$ $1

        # Deal with admin directory.  Better way to do this???
        # RewriteRule ^(.*)/index.php$ /index.php?admin=$1 [L,QSA]
        # RewriteRule ^(.*)/$ /index.php?admin=$1 [L,QSA]
        # RewriteRule ^(.*)$ /index.php?admin=$1 [L,QSA]
        RewriteRule ^([^/]*|[^/]+/(index.php)?)$ /index.php?admin=$1 [L,QSA]
        RewriteRule ^ /error-404.html

    </Directory>
    
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
    ErrorLog  /var/log/httpd/mysite/error.log
    CustomLog /var/log/httpd/mysite/forwarded.log common_forwarded
    CustomLog /var/log/httpd/mysite/access.log combined env=!dontlog
    CustomLog /var/log/httpd/mysite/log combined

    RewriteLog /var/log/httpd/mysite/rewrite
    RewriteLogLevel 9
</VirtualHost>

Pearlseattle · 05-17-2015, 03:22 PM

Pfff... I'm not a professional.
I don't see anything which is obviously bad => let me try to do the same thing tomorrow.

Pearlseattle · 05-18-2015, 04:59 PM

I followed your same procedure and I'm not getting any such warning.
If it was you posting this then now you've got your solution