SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

A known CA SSL certificate in the certificate chain has been signed
using a weak hashing algorithm.

Description :

The remote service uses a known CA certificate in the SSL certificate
chain that has been signed using a cryptographically weak hashing
algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms
are known to be vulnerable to collision attacks. An attacker can
exploit this to generate another certificate with the same digital
signature, allowing the attacker to masquerade as the affected
service.

Note that this plugin reports all SSL certificate chains signed with
SHA-1 that expire after January 1, 2017 as vulnerable. This is in
accordance with Google's gradual sunsetting of the SHA-1 cryptographic
hash algorithm.

See also :

http://tools.ietf.org/html/rfc3279
http://technet.microsoft.com/en-us/security/advisory/961509

Solution :

Contact the Certificate Authority to have the certificate reissued.

Risk factor :

None

Family: General

Nessus Plugin ID: 95631 ()

Bugtraq ID: 11849
33065

CVE ID: CVE-2004-2761

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now