My 'manage service ssl certificate' was recently replaced with the cPanel / Comodo free one year certificate.
My PCI scan vendor just ran a scan on the server and all the services that the ssl certificate covers have failed the scan.
Here is the results of the fail:
"Details
Category General
CVE CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068cwe : 310 }
CVSS base score 5.0
Description SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
Host xxx.xx.xxx.xxx
Threat -
Impact The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.<br/><br/>Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Solution Contact the Certificate Authority to have the certificate reissued.
PCI compliant No
PCI details -
Reason A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.
PCI details medium
Port 993 / tcp / imap
Host name -
Host OS -
Result
The following known CA certificates were part of the certificate
chain sent by the remote host, but contain hashes that are considered
to be weak.
|-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : May 30 10:48:38 2000 GMT
|-Valid To : May 30 10:48:38 2020 GMT"
I guess I am surprised that a certificate that is this recent would not have addressed the vulnerability in the CA chain.
Anyone else have this problem?
My PCI scan vendor just ran a scan on the server and all the services that the ssl certificate covers have failed the scan.
Here is the results of the fail:
"Details
Category General
CVE CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068cwe : 310 }
CVSS base score 5.0
Description SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
Host xxx.xx.xxx.xxx
Threat -
Impact The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.<br/><br/>Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Solution Contact the Certificate Authority to have the certificate reissued.
PCI compliant No
PCI details -
Reason A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.
PCI details medium
Port 993 / tcp / imap
Host name -
Host OS -
Result
The following known CA certificates were part of the certificate
chain sent by the remote host, but contain hashes that are considered
to be weak.
|-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From : May 30 10:48:38 2000 GMT
|-Valid To : May 30 10:48:38 2020 GMT"
I guess I am surprised that a certificate that is this recent would not have addressed the vulnerability in the CA chain.
Anyone else have this problem?
