A couple of months ago there was quite a bit of press about Google and Mozilla becoming more aggressive about how they handle x509 (SSL/TLS) certificates that have SHA-1 based signatures. The background for this is linked in the references section at the end of this post. In short, the SHA-1 cryptographic hash algorithm is considered too weak to be safely used as part of the public web PKI.
The impact for site operators and network security teams is that over the next two years browser users will begin to see warnings that indicate that a site is secure but with errors when it uses a SHA-1 certificate that expires after January 1, 2016. Sites will be flagged as insecure if the SHA-1 certificate expires after January 1, 2017. This is something that requires action now as certificates are generally bought or generated with at least a one year life but in many cases organizations are using 2, 3, or 5 year certificates.
To assist with detecting SHA-1 and MD5 signed certificates I committed a patch to Nmap that changes the output of ‘ssl-cert.nse‘ so as to include the signature algorithm that was used to sign the target service’s x509 certificate. To reduce user confusion I purposely did not place the Signature Algorithm output near the MD5 and SHA-1 certificate hashes in the script output. Those hash values are ‘fingerprints’, or for Microsoft products ‘thumbprints’, which are generated by ssl-cert.nse or other client software and are not part of the certificate itself.
Here is some sample output of running the updated script against services using RSA and ECDSA certificates with SHA256 and SHA384 signatures. The newly added data is the ‘Signature Algorithm’ field.
nmap --script=ssl-cert.nse -p 443 www.cloudflare.com PORT STATE SERVICE REASON 443/tcp open https syn-ack ttl 54 | ssl-cert: Subject: commonName=www.cloudflare.com/organizationName=CloudFlare, Inc./stateOrProvinceName=California/countryName=US/188.8.131.52.4.1.3184.108.40.206.2=Delaware/businessCategory=Private Organization/serialNumber=4710875/organizationalUnitName=Internet Security and Acceleration/220.127.116.11.4.1.318.104.22.168.3=US/streetAddress=665 3rd St./localityName=San Francisco | Issuer: commonName=GlobalSign Extended Validation CA - SHA256 - G2/organizationName=GlobalSign nv-sa/countryName=BE | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2014-04-10T19:47:02 | Not valid after: 2015-01-05T13:37:49 | MD5: 5f65 2c25 b737 73ad 4ce0 6d18 8973 89c7 | SHA-1: c430 e21b 8cff 8590 cada af93 62d0 9a8b fb94 9c4f
nmap --script=ssl-cert.nse -p 443 somehostwithECDSA PORT STATE SERVICE REASON 443/tcp open https syn-ack ttl 118 | ssl-cert: Subject: commonName=somehostwithecdsa.myorg.com/organizationalUnitName=Persona Not Verified | Issuer: commonName=Entrust ECC Demonstration CA/organizationName=Entrust, Inc./countryName=US/organizationalUnitName=For Test Purposes Only | Public Key type: ec | Public Key bits: 256 | Signature Algorithm: ecdsa-with-SHA384 | Not valid before: 2014-08-13T19:53:53 | Not valid after: 2014-10-12T20:23:53 | MD5: 81f1 4516 a138 a481 dbc0 19a9 0516 8224 | SHA-1: 3196 25df 15b3 9ec2 7232 44a4 80d8 53cf e3f9 a12f
The naming for signature algorithms using when used with RSA keys is prefixed with the cryptographic hash used in the signing process. The most common signatures using RSA keys that you are likely to see are:
Naming for signature algorithms with when used with ECDSA keys is reversed with the cryptographic hash name on the end of the alorithm name:
Technically you could see a DSA certificate but I would be very surprised if you do given their limitations. I would expect the names for those to be:
The net result is that Nmap scans can be run against a network and grep (or the tool of your choice) can be used to search the output for SHA-1 and MD5 certificates.
Unfortunately, a version of Nmap with the changes has not been released yet and the code changes are such that you cannot just download and install the updated NSE script. Until a new version of Nmap is released you can download and build the version in SVN . If you do so, make sure that you have the OpenSSL development libraries installed. As a bonus, the SVN version will give you a ton of improvements that Daniel Miller ( @bonsaiviking ) and others have made to the SSL/TLS libraries and scripts. Some highlights are:
- ssl-poodle: new script to detect the CVE-2014-3566 (POODLE) vulnerability by Daniel Miller
- ssl-ccs-injection: new script to detect the CVE-2014-0224 (ChangeCipherSpec) vulnerability by Claudiu Perta
- ssl-enum-ciphers: now has better scoring for ciphersuites, a check for low quality DH parameters, and shows server ciphersuite preference order if the server is configured to use its own preference
- Improved the Nmap sslcert.lua library by adding support for STARTTLS against LDAP, IMAP, and POP3
- Improved the Nmap sslcert.lua library by correcting issues that prevented successful negotiation against certain SSL wrapped services that also had plaintext variants such as LDAP/S, IMAP/S, POP3/S, SMTP/S
– Tom Sellers
1. Qualys Security Labs SHA1 Deprecation: What You Need to Know
2. Microsoft SHA1 Deprecation Policy
3. Google Chrome/Chromium: Gradually sunsetting SHA-1
4. Mozilla Phasing Out Certificates with SHA-1 based Signature Algorithms
5. Obtaining Nmap from the Subversion (SVN) Repository
6. NSEDoc – sslcert.nse
Post Update History:
2014.12.18 – Add additional information about other SSL/TLS improvements the SVN version has over the published version of Nmap.
2015.06.01 – Add information about the release of Nmap 6.49BETA1 which contains the updates.