Ismail_319212
Nimbostratus
Nimbostratusvulnerabilities
How can fix the vulnerabilities on F5 Big IP ver12.1.0 please advice me
SHA-1-based Signature in TLS/SSL Server X.509 Certificate
Weak Cryptographic Key
Thank you
Forum Discussion
youssef1
Cumulonimbus
CumulonimbusHi ismael,
The previously used Secure Hash Algorithmus SHA-1 is not regarded as totally secure anymore. Google and Microsoft decided to reject SSL certificates using SHA-1 in the future and to denote them in their browsers as „not secure".
You have to renew your actual cert with SHA256:
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
- Read the recent announcement from Google to understand how the changes will be introduced. Within months, certificates that expire after 2016 will be affected. Relatively soon thereafter, further changes will be introduced that will impact the certificates that expire during 2016.
- Ensure new certificate and their chains use SHA256; this is critical—if your new certificates are not guaranteed to be SHA256 then all your other efforts will be pointless. If you get this right, all SHA1 certificates that expire by the end of 2015 will be guaranteed to be ready for 2016 without further effort. It’s also necessary to check that the entire certificate chain is free of SHA1. It’s not common, but there are cases where the leaf uses SHA256 but one of the intermediates uses SHA1. Don’t worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won’t warn about them).
Let me now if you need more details