Solved: Thanks for your suggestion.

ahmed.gadi · ‎09-22-2014

Hello,

Does anyone know if Cisco CSS 11503 support SHA2(256) certificates? I see that private key generation defaults to SHA1 and does not provide any option, also the cipher suites in SSL-Proxy list does not show SHA2 options. Can it handle SHA2 in any software release? I am currently running sg0810602.

I have gone through this link for ACE service module.

https://supportforums.cisco.com/discussion/10982796/does-ace-service-module-support-sha2256-certificates

Thanks & Regards

Ahmed...

Kanwaljeet Singh · ‎09-22-2014

Hi Ahmed,

SHA2 is not supported in CSS as an option in cipher suite or for verification of certificates signed by SHA2.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

Kanwaljeet Singh · ‎09-22-2014

Hi Ahmed,

SHA2 is not supported in CSS as an option in cipher suite or for verification of certificates signed by SHA2.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

ahmed.gadi · ‎09-23-2014

Many thanks...

ahmed.gadi · ‎09-23-2014

Actually I have a customer who has CSS installed with following proxy-list

ssl-server 21 cipher rsa-with-rc4-128-md5 X.X.X.X
ssl-server 21 cipher rsa-with-rc4-128-sha X.X.X.X

He got an email from symantec about new release of Google Chrome.

Do you think user will get degraded indicator in newer chrome as mentioned below ?

We have cipher for md5 as well as sha..

Important Service Announcement

We would like to inform you of Google's intent to phase out support for certificates using a SHA-1 hashing algorithm via degraded visual indicators and warnings in the Chrome™ browser. These changes are expected to take effect in the production version of Chrome version 39 in November 2014. You can find more information regarding the proposed plan on Google's blog

As a proactive measure, in order to help ensure that Chrome 39 users visiting your websites do not encounter any UI degraded indicators, Symantec recommends the following:

1.	Identify certificates that have a SHA-1 algorithm using the SSL Toolbox.
2.	Replace any SHA-1 certificates that expire beyond December 31, 2015, with SHA-2 certificates at no additional cost. For more information, please refer to Knowledge Center SO7146.

Please note that SHA-1 root certificates are not affected by this plan.

Here are some additional resources for your reference:

•	Symantec SHA-1 information page
•	Symantec Community Forum: Website Security Solutions
•	Upcoming Webcast: Get Answers to Your Questions on Google SHA-1 Deprecation Plans

Dev Vishwakarma · ‎09-23-2014

It depends on whats the weight associated to those ciphers:

ssl-server 21 cipher rsa-with-rc4-128-md5 X.X.X.X
ssl-server 21 cipher rsa-with-rc4-128-sha X.X.X.X

If same weight then the client that chooses to do SHA would get that degraded notice on chrome. You can change the weight of the MD5 chiper so that it is being used always. higher the weight, higher the preference.

Regards,
Devendra

:: Please rate helpful posts and mark / endorse answers ::

ahmed.gadi · ‎09-24-2014

Thanks for your suggestion.

ahmed.gadi · ‎09-25-2014

Dear Devendra,

Is it possible I can remove SHA for this ssl-server ?

If I keep MD5, will all browser will accept it or will see issue ?

The syntax for this command is:

ssl-server number cipher name ip_address or hostname port {weight number}

weight number - Optional parameter. Assigns a priority to the cipher suite, with 10 being the highest weight. By default, all configured cipher suites have a weight of 1. When negotiating which cipher suite to use, the SSL module selects from the client list based on the cipher suite configured with the highest weight. A higher weight will bias towards the specified cipher suite. To set the weight for a cipher suite, enter a number from 1 to 10. The default is 1.

Please confirm the syntax as well.

Kanwaljeet Singh · ‎09-25-2014

Hi Ahmed,

Yes, you can remove it. During handshake client comes up with a list of cipher suites it supports and first one in the list is usually its preferred. But here it would be the server cipher preference which client will accept since we don't have a list here. And yes, if client doesn't support what CSS has to offer then, SSL handshake will fail.

And the syntax looks like right.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

jhanson · ‎09-25-2014

Hi,

Can you confirm or deny that SHA2 certs will work in CSS 11501? with OS 08.10.1.06. I am not able to determine the openssl version in the OS.

Kanwaljeet Singh · ‎09-25-2014

Hi,

SHA2 is not supported in CSS as an option in cipher suite or for verification of certificates signed by SHA2. This support is there in ACE and was introduced in A4 version. Also, in ACE the SHA2 is not available as an option in cipher suite but just for verification of certificates signed by SHA2.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

jhanson · ‎09-26-2014

This helps us thanks.

Does CSS support SHA2(256) certificates