SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
Info Nessus Plugin ID 95631
SynopsisA known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.
DescriptionThe remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
SolutionContact the Certificate Authority to have the certificate reissued.