-sha256 flag is (unfortunately) mostly useless

konklone / shaaaaaaaaaaaaa

Check if a website has weak SHA-1 TLS certificates.

https://shaaaaaaaaaaaaa.com

BSD 3-Clause "New" or "Revised" License

207 stars 27 forks source link

-sha256 flag is (unfortunately) mostly useless #50

Closed weppos closed 9 years ago

weppos commented 9 years ago

At https://shaaaaaaaaaaaaa.com/#sha2-certificate you wrote

It's usually very simple. You'll need to generate a new certificate request that asks your CA to use SHA-2. openssl req -new -sha256 -key your-private.key -out your-domain.csr

Unfortunately, from my tests, it looks like most of the CA ignores the signature requested in the CSR.

You may want to add a note about it.

justinribeiro commented 9 years ago

There is an ongoing thread about this that discusses complications and workarounds with common CA's: issue #24

konklone commented 9 years ago

Thanks for pointing this out, @weppos. I had wrongly assumed the -sha256 was a request for the signature algorithm -- actually, it's just what the CSR itself is signed with (which some CAs seem to take as a sign of what they should use for the cert).

I just updated the copy in ff91707 to de-emphasize signing the CSR with SHA-2, and to emphasize that each CA is different.