Signature hash algorithm (e.g. SHA-1, SHA-256...) used in Apple Mail ?

Similar Messages

• Set Signature Algorithm to SHA-256 in CSR

  running 8.4(5) on ASA5550
  im trying to renew the certificate for webvpn, however we have a new requirement that  the signature  Algorithm should be SHA-256 but when i create the new RSA keys and enroll the trust-point to generate the CSR, i cant find where to change the signature Algorithm and it show
  "Signature Algorithm: SHA1 with RSA Encryption"
  any advice..

  You can't change that on the ASA .  Check with your CA the one who is signing the request for you .
  Moh.

• Is it possible to change the hash algorithm when I renew the Root CA

  My Root CA is installed on a Windows Server 2008. The Hash algorithm of Root CA in my environment is MD5. I would like to renew the Root CA and change the Hash algorithm to SHA1. Is it possible to change it?
  Regards,
  Terry | My Blog: http://terrytlslau.tls1.cc

  Hi,
  The hashing
  algorithm chosen during the setup of a Certificate Authority determines how the certificates that the CA issues are digitally signed. It is a one
  algorithm per CA scenario, so if your environment requires multiple algorithms for compatibility, then you will need multiple PKI hierarchies (one for each
  algorithm.) Prior to Windows 2008, you had to rebuild the CA and decommision the entire PKI hierarchy to
  change the signing algorithm used. In Windows 2008 and 2008 R2, we allow you to
  change the algorithm and from that point forward it will digitally sign all new certificates with the updated
  algorithm.
  The
  Certificate
  Services Enhancements in Longhorn Server Whitepaper describing these steps can be found under the section
  Configuring the Cryptographic Algorithms used by the CA.
  Step 1: Verify the configuration of the CRL and AIA paths. Sometimes users will manually
  change these paths to not include the crl name suffix variable that distinguish multiple certificates on a CA. This is important because the process of changing the
  algorithm requires the renewal of the private key and results in administration of multiple CA certificates. When we publish multiple crt and crls, they will be identified as CAName and CAName(1.) You can verify these paths
  include the variables by checking the registry keys below:
  [HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}
  CRLPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://FCCA01.fourthcoffee.com/certenroll/%%3%%8%%9.crl\n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public
  Key Services,CN=Services,%%6%%10"
  CACertPublicationURLs = "1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://FCCA01.fourthcoffee.com/certenroll/%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"
  Step 2: Modify the CSP parameters to specify the new
  algorithm. The CSP may use the original CryptoAPI or Cryptography API:Next Generation - you can verify this by looking in the registry key
  HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{CAname}\CSP.
  If you have the regvalues
  CNGPublicKeyAlgorithm and CNGHashAlgorithm then your CSP is using Next Generation.
  Change the
  algorithm from MD5 to SHA1 and was using Cryptography API: Next Generation. The original registry value was:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
  "ProviderType"=dword:00000000
  "Provider"="Microsoft Software Key Storage Provider"
  "HashAlgorithm"=dword:00008003
  "CNGPublicKeyAlgorithm"="RSA"
  "CNGHashAlgorithm"="MD5"
  "MachineKeyset"=dword:00000001
  we changed it to
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\{CAname}\CSP]
  "ProviderType"=dword:00000000
  "Provider"="Microsoft Software Key Storage Provider"
  "HashAlgorithm"=dword:00008004
  "CNGPublicKeyAlgorithm"="RSA"
  "CNGHashAlgorithm"="SHA1"
  "MachineKeyset"=dword:00000001
  Step 3: Restart the CA service. You can do this in the CA MMC. Right Click on the
  CA and choose "Stop Service" and "Start Service".
  Step 4: Renew the CA certificate with new Private Key. Right click on the CA and
  choose "Renew CA certificate". Choose to renew the public and private key pair. On completion, this will result in the CA having two certificates. You will see that the old one has the MD5 for the Signature
  Hash Algorithm and that the new certificate uses SHA1.
  Hope this helps!
  Best Regards
  Elytis Cheng
  TechNet Subscriber Support
  If you are
  TechNet Subscription
  user and have any feedback on our support quality, please send your feedback
  here.
  Elytis Cheng
  TechNet Community Support

• How to enable SHA-2 hashing algorithm support on windows 7

  Hello All,
  Please suggest how to invalidate SHA-1 and MD5 algorithm on windows 7 and how to enable SHA-2.
  As suggested by Microsoft, regarding the availability of SHA-2 hashing algorithm, security update KB2949927 is installed on windows 7.
  Thank You

  Hi,
  Please check if you have installed the below mentioned update:
  http://support.microsoft.com/kb/2973337/en-us
  After installing this update, SHA512 is enabled for TLSv1.2.
  IE shall also be using TLS internally. Hope that should resolve your problem.
  Please refer to the below link for a similar discussion and its solution posted there:
  https://social.technet.microsoft.com/Forums/office/en-US/857c6804-8ce1-4f09-b657-00554055da16/tls-12-and-sha512?forum=winserversecurity
  (Please mark as answer if it resolves your issue. Please upvote if it is helpful.)
  Regards,
  Rajesh

• Which SHA hash algorithm is DS 5.1 using?

  i'm trying to find out whether DS 5.1 uses the SHA-1 (160 bit) or the SHA-256 (256bit). i'm using coldfusion to query the directory and in order to compare password given by the user with the one stored in the directory i should hash the given password. coldfusion (a library, it's not a default function) has two differnt hash algorithms SHA-1 and SHA-256, which one should i use?
  ioanna

  DS uses SHA-1 (160 bit). And I'm not sure what you are proposing will work. I think you need the salt to generate the hash. Why do you need to compare the password outside the directory? You might be able to use the LDAP compare operation.

• Do Mountain Lion and Safari 6.2.2 support SHA-256 Hash algorithms in HTTPS security certificates?

  I use SalesForce for my client CRM. I've just received a notice informing me that they are upgrading from SHA-1 hash to SHA-256 for increased HTTPS certificate security. Will my current OS X version (Mountain Lion) and Safari version (6.2.2) support this upgrade?

  NEVERMIND! SalesForce provided a test page and I was able to determine that both my Mac and Windows environments and browsers support the upgrade.

• Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2

  HI All,
  I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
  But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
  changes on CA server to use SHA-2 algorithm.
  Thanks in advance.
  Mahi

  On 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
  On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
  Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
  Currently no. All of the current SHA1 deprecation notices from Microsoft
  apply only to public root CAs that are part of the Microsoft Trusted Root
  program.
  You should start planning to migrate your internal CAs however. At some
  point in time I think you'll find that all SHA1 certificates will be
  deprecated.
  Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
  the other.
  This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
  I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
  Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
  Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
  IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
  no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
  The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".

• Hash & SHA-256

  Does java card 2.2.2 support SHA-256 hash algorithm? In thejava card api there is MessageDigest class and ALG_SHA property. Which algorithm does it really represents? SHA-1 or SHA-256?

  Hi,
  From MessageDigest in JC2.2.2:
  public static final byte ALG_SHA_256 = 4;Cheers,
  Shane

• What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)

  Hi,
  I just want to know,
  What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
  if support already,
  how can i setting.
  plz.  help me!!! 

  The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
  by Windows) for facilitating encryption.  Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
  encryption method is used to encrypt connections between SQL Server and clients.
  http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
  So the question then becomes which versions of Windows Server support TLS 1.2.  The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
  http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
  So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate.  By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
  for connections between SQL Server and your clients:
  http://support.microsoft.com/kb/316898
  I hope that helps.

• ADT error : SHA-256 digest algorithm not available

  Hello everyone!
  I'm trying to do a real test with my Adobe air projet (wich is working fine on ADL), but when i'm trying to compile it with ADT, I get this error, whatever I write..
  Exeption in thread "main" java.lang.RuntimeException: SHA-256 digest algorithm not available
                           at com.adobe.air.AIROutputStream.<init><AIROutputStream.java:37>
                           at come.adobe.air.AIRPackager.newUCFOutputStream<AIRPackager.java:383>
                           at come.adobe.ucf.Packager.<init><Packager.java:30>
                           at com.adobe.air.ADT.main<ADT.java:37>
  How can I fix this bug?
  Thanks

  Here is the command I am using to creat myself a new certificate :
  adt –certificate -cn SelfSigned 1024-RSA sampleCert.pfx samplePassword
  I get this error even if I only write "adt". It's very strange..
  Thanks for your help !

• Adobe reader x, and win7, sha-1 instead of sha-256

  Good afternoon,
  i have a problem similar to that posted at
  http://forums.adobe.com/message/3707345
  i try to sign the pdf (enable for signing with adobe livecycle ES, Right Managements)
  but it always is signed with hash algorithm SHA-1
  The hardware vendor of the smartcard, says that the problem is an adobe problem, because signing the file with its legacy software all works fine, and with its software the digest is SHA-256 (but the produced file is obviously not a signed pdf..)
  For italian law the supported digest is SHA-256, and NOT SHA-1
  I'm using the latest adobe reader version (10.1) and Win7
  P.S.: adobe livecycle, enabling the pdf for signing with livecycle Right Management Service, put a sign with an adobe certificate and returns a pdf ready to be signed, and in this pdf the adobe sign is SHA-1
  could be this the problem?
  So, before signing the pdf it just contains an adobe SHA-1 sign (coming from livecycle web service)
  With regards

  Hi GP,
  It's the smart card (or more correctly the software on the smart card) that is the bottleneck to getting to SHA-256. Here's what happens:
  NOTE: When I say Acrobat I really mean both Acrobat and Reader
  •    The user initiates the signing operation
  •    Acrobat asks the user to pick a digital ID
  •    The user select a digital ID from the drop-down list on the Sign Document dialog and then clicks the Sign button
  •    Acrobat needs to write the file to disk for security purposes (another issue) and puts up the Save As dialog
  •    The user selects a file name and save location and Acrobat writes the file to disk and it's at this time two things happen:
      o    The signature appearance is created so it can be part of the signed data (what you see in the signature field is not the signature, but rather a pictorial representation of the signature)
      o    A hole is created in the file and filled with zeros as a place holder where the actual signature will be written
  •    Acrobat computes the digest over the file, excluding the hole filled with zeros. By default Acrobat is using the SHA-256digest method
  •    Acrobat needs to get the digest encrypted (signed) by the private key associated with the signers digital ID
      o    If Acrobat has access to the private key it calls on the RSA library to do the encryption,
      o    If Acrobat doesn't have access to the private key it sends the SHA-256 digest to the software that does have access to the private key... In your case that's the cryptographic software residing on the smart card
  •    It's up to the cryptographic software to feed the 32 byte SHA-256 digest into its encryption algorithm and have the private key encrypt the digest
  •    The software on the smart card cannot handle a digest as large as 32-bytes, so it returns an error
  •    In Acrobat 9.0.0 and earlier once the error message was returned the signing process was aborted and signature did not get created. Starting with version 9.1 if a PKCS#11 (the specification for smart cards) error is returned  Acrobat falls back to re-computing the digest using SHA-1 and starts the process again. It's here where the smart card software is getting the 20-byte SHA-1 digest and can get it encrypted using the private key.
  •    Once the encrypted SHA-1 digest (this is really the digital signature) is computed the smart card sends it back to Acrobat
  •    Acrobat in turn writes the signature into the hole it created in the PDF file, overwriting the zeros with actual hex values.
  And that’s how you get a digital signature based on the SHA-1 digest method. If you absolutely need to use SHA-256 your only option is to get a newer smart card that can handle the larger digest.
  Steve

• ACE20 and hashing algorithm

  I have a secure website behind an Cisco ACE20 using A2(3.2). Everything is working great. Only that now I need to renew my certificate. When creating the CSR and sending it to my CA I get this warning:
  "Alert: Your CSR has been signed using the MD5 hashing algorithm. While the MD5 hashing algorithm is not optimal it will not prevent you from using this CSR to enroll for your SSL certificate. VeriSign best practices recommend that you use a different hashing algorithm for the signature. CSR Information"
  Anybody know if it is possible to use SHA instead of MD5 or what can I do in this case?

  I dont think you can chnage the signing method for CSRs on the ACE directly. But i would use something like OpenSSL to generate the CSR for SHA.
  http://gnuwin32.sourceforge.net/packages/openssl.htm
  openssl req -out c:\CSR.csr -new -newkey rsa:2048 -nodes -keyout c:\privateKey.key -sha1
  The above will load a wizard format questionare for your CSR parameters similar to the ACE.
  You can then upload your key, and cert when you get it to the ACE afterwards.
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!
  - Always vote on an answer if you found it helpful

• HTTPS SSL Certificate Signed using Weak Hashing Algorithm

  I am support one client for,  whom falls under Security  scans mandatory for new implementation of ASA 5520 device .  The client uses Nessus Scan and  the test results are attached
  The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
  Nessus Scanner reports
  Medium Severity Vulnerability
  Port : https (443/tcp)
  Issue:
  SSL Certificate Signed using Weak Hashing  Algorithm
  Synopsis :
  The SSL certificate has been signed using  a weak hash algorithm.
  Description :
  The remote service uses an  SSL certificate that has been signed using
  a cryptographically weak hashing  algorithm - MD2, MD4, or MD5. These
  signature algorithms are known to be  vulnerable to collision attacks.
  In theory, a determined attacker may be  able to leverage this weakness
  to generate another certificate with the same  digital signature, which
  could allow him to masquerade as the affected  service.
  See also :
  http://tools.ietf.org/html/rfc3279
  http://www.phreedom.org/research/rogue-ca/
  http://www.microsoft.com/technet/security/advisory/961509.mspx
  http://www.kb.cert.org/vuls/id/836068
  Solution :
  Contact the Certificate Authority to have the certificate  reissued.
  Plugin Output :
  Here is the service's SSL certificate  :
  Subject Name:
  Common Name: xxxxxxxxxx
  Issuer Name:
  Common Name: xxxxxxxxxx
  Serial Number: D8 2E 56 4E
  Version: 3
  Signature Algorithm: MD5 With RSA  Encryption
  Not Valid Before: Aug 25 11:15:36 2011 GMT
  Not Valid After:  Aug 22 11:15:36 2021 GMT
  Public Key Info:
  Algorithm: RSA  Encryption
  Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F  DF 40
  D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
  06 7E  D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
  77 56 D7 C3 EE EF 7A  79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
  CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F  E2 D1 00 45 E2 A1 C7 9F
  57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59  54 0C CB
  78 82 FB 50 17 CB 7D CD 15
  Exponent: 01 00 01
  Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
  2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
  F7 5A 0C E8  4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
  AE 12 18 E8 AB DF B9 02 F7  DA BE 3C 45 02 C4 1E 81 44 C2 74
  25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3  05 1A 01 14 88 23
  E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65  B5
  C5 FC 94 62 59 04 E7 7E FB
  CVE :
  CVE-2004-2761
  BID :
  BID 11849
  BID  33065
  Other References :
  OSVDB:45106
  OSVDB:45108
  OSVDB:45127
  CWE:310
  Nessus Plugin ID  :
  35291
  VulnDB ID:
  69469
  and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
  Here is ASA log
  7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
  7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
  7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
  7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
  7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
  6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
  6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
  6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
  6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
  6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
  7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
  7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
  7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
  7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
  7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
  7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
  7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
  6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
  H

  Hi Ramkumar,
  The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
  If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
  If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
  The links you posted have more information on this as well. Hope that helps.
  -Mike

• OID And Java Hash Algorithm Output Differences?

  Hi,
  Can anyone tell me why I am not able to recreate the OID ldap password hash algorithm? Or can anyone tell me why I get these subtle differences between my Java created message digest and the one that is read directly from the oracle ldap hint password field? They are both based on the same original word "test".
  OID Hint Password from ldap ==> {SHA}zrFqbho8VPUOnVvtyUb4c+RWF+k=
  Hash created based on input ==> {SHA}zrFqbho8VPUOP1vtyUb4c+RWF+k=
  Here is a little background. I am working on developing a custom forgot password feature for my web site using OID 10g R2 and Java. I am able to retrieve the oracle hint password from OID using Java JNDI as the orcladmin. This ldap password is a SHA message digest, or hash, that is base 64 encoded. Since it is a one way algorithm I can not decrypt. So instead I take the clear text password string provided by the user and create a message digest(SHA) and then encode in base 64 using Java 1.4.2 like so;
  MessageDigest md = MessageDigest.getInstance("SHA");
  md.update(clearTextPassword.getBytes());
  String userSuppliedPassword = new String(md.digest());
  BASE64Encoder base64encoder = new BASE64Encoder();
  String output = "{SHA}" + base64encoder.encode(userSuppliedPassword.getBytes());
  By the way, I have been able to work around this issue by performing the compare using JNDI search but was curious why this was happening. Thanks!

  Hi
  I am having similar issue. I have to save passwords in encrypted form to LDAP. But not working. I am prepending the encrypted password {SHA} so OID should not convert further.
  Any help is appreciated
  Thanks

• Digital Signature Certificate algorithm

  Hi Friends
  Please clarify below points as we are planning to use SHA 256 algorithm with digital certificate while signing using SECULIB libraray.
  1) Does SAP support SHA 256 algorithm , if yes doesnt any additional library files are required.
  2) Does SAP support SHA 256 algorithm differently from ECC6
  Thanks
  Lavanya

  Please check the below notes:
  [Note 455033 - SAPCRYPTOLIB versions, bugs and fixes|https://service.sap.com/sap/support/notes/455033]
  [Note 991968 - Value list for login/password_hash_algorithm|https://service.sap.com/sap/support/notes/991968]
  Following Algorithms are provided by SAPCryptolib
  1. Under HASH Algorithms:
  RSA-MD2          OID 1.2.840.113549.2.2, NULL parameter
  RSA-MD4          OID 1.2.840.113549.2.4, NULL parameter
  RSA-MD5          OID 1.2.840.113549.2.5, NULL parameter
  NIST-SHA     OID 1.3.14.3.2.18, NULL parameter
  SHA-1          OID 1.3.14.3.2.26, NULL parameter
  md2          Same algorithm as RSA-MD2
  md4          Same algorithm as RSA-MD4
  md5          Same algorithm as RSA-MD5
  RIPEMD-160     OID 1.3.36.3.2.1, NULL parameter
  ripemd160     Same algorithm as RIPEMD-160
  sha          Same algorithm as NIST-SHA
  sha1          Same algorithm as SHA-1
  For more details on which algo.s are supported and provided by SAPCryptolib, please check the following links:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e186c590-0201-0010-af8d-a2697dee13c0
  [Secure System Management FAQ|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/a0b60eb4-a1fa-2b10-58b6-b83ed4d3ff82]
  Regards,
  Dipanjan