Just got this from a wireless lan list: "We has been struggling with a recent patch from Ubuntu that broke encrypted connections between some of our internal servers. Long story short: Ubuntu now uses GNU-TLS and the latest security patch has removed support for SHA-1. Error messages in Ubuntu or in LDAP were not explicit enough to make it obvious. Some of you may face this issue between RADIUS and LDAP (still used quite a bit for 802.1X). This issue will most likely affect internally issued infrastructure certificates! Fix: Do not patch GNU-TLS (is this a good idea?) or recreate your ROOT CA to support SHA-2 family"
On Feb 25, 2020, at 12:43 PM, Danner, Mearl <jmdanner@samford.edu> wrote:
Just got this from a wireless lan list:
"We has been struggling with a recent patch from Ubuntu that broke encrypted connections between some of our internal servers.
Long story short: Ubuntu now uses GNU-TLS and the latest security patch has removed support for SHA-1. Error messages in Ubuntu or in LDAP were not explicit enough to make it obvious.
SHA-1 has been deprecated for years.
Some of you may face this issue between RADIUS and LDAP (still used quite a bit for 802.1X). This issue will most likely affect internally issued infrastructure certificates!
Fix: Do not patch GNU-TLS (is this a good idea?) or recreate your ROOT CA to support SHA-2 family"
You should use SHA-2 for all of your certs. Everyone should have switched to that years ago. :( Alan DeKok.
Am 25.02.20 um 23:41 schrieb Alan DeKok:
You should use SHA-2 for all of your certs. Everyone should have switched to that years ago. :( yes. There may be a corner case, though. The root cert itself is not signed by anyone, of course. I.e. technically, it's a self-signed cert. If you have an SHA-1 signature part here, no security issue will arise, but some TLS exchanges will break nevertheless. We had this issue during a short period when we had started re-issuing all certs with SHA-256 signatures except for the root cert itself.
Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (3)
-
Alan DeKok -
Danner, Mearl -
Martin Pauly