Add CertificateChainIssues.WeakSignatureAlgorithm field to surface weak signature algorithms used to sign certificates.
Weak signature algorithms include MD2, MD4, MD5, or SHA1.
These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
NOTE: This does not apply to trusted root certificates; TLS clients trust them by their identity instead of the signature of their hash; client code setting this field would need to exclude root certificates from the determination whether the chain is vulnerable to weak signature algorithms.
Overview
Add
CertificateChainIssues.WeakSignatureAlgorithmfield to surface weak signature algorithms used to sign certificates.Weak signature algorithms include MD2, MD4, MD5, or SHA1.
These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
NOTE: This does not apply to trusted root certificates; TLS clients trust them by their identity instead of the signature of their hash; client code setting this field would need to exclude root certificates from the determination whether the chain is vulnerable to weak signature algorithms.
References