Wednesday, November 25, 2015

SSL certificate hash transition from SHA1 to SHA2. ORA-28857

Abstract

The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005. As part of their SHA-2 migration plan, Google, Microsoft and Mozilla have announced that they will stop trusting SHA-1 SSL certificates. Google will begin phasing out trust in SHA-1 certificates by the end of 2014, while Microsoft and Mozilla will begin phasing out trust for SHA-1 certificates in 2016.

Problem(s)

If you are using Google Chrome - some https websites or services using SHA1 will not be opened and you will likely get an error displayed in article image. Another situation that you may bump into is Oracle Wallet. Looks like Oracle up to 11.2.0.2 doesn’t support SHA-2 based certificates. If you have a 10.x wallet and website changed its certificate to SHA2 - you will not be able to import it - you will get an error "some trusted certificates could not be installed". See image attached.
Also when connecting to such a site using UTL_HTTP.REQUEST you will end up with an ORA error: "Request Failed: ORA-28857: Unknown SSL error".

Suggestions

Upgrade Java, Tomcat and Oracle.

Dates to remember

November 2014 - SHA-1 SSL Certificates expiring any time in 2017 will show a warning in Chrome 39.
December 2014 - SHA-1 SSL Certificates expiring after May 31, 2016 will show a warning in Chrome 40.
January 2015 - SHA-1 SSL Certificates expiring any time in 2016 will show a warning in Chrome 41.
January 1, 2016 - Microsoft ceases to trust Code Signing Certificates that use SHA-1.
January 1, 2017 - Mozilla Firefox and Microsoft ceases to trust SSL Certificates that use SHA-1.

Services currently supporting SHA2

Apache server 2.0.63+ with OpenSSL 0.9.8o+
Java based servers using Java 1.4.2+
OpenSSL based servers using OpenSSL 0.9.8o+
Oracle Wallet Manager 11.2.0.1+
Oracle Weblogic 10.3.1+