x509-cert-insecure-signing-algorithm¶
x509 certificate uses a weak cryptographic algorithm
The X.509 certificate Signature Algorithm
attribute is using a cryptographic algorithm which is considered insecure and deprecated. Boost currently considers the following algorithms to be insecure: MD2, MD4, MD5, SHA-1, SHA-224, RIPE-MD160, SM3 and MDC2.
It is recommended to use one of the following signature algorithms:
sha256WithRSAEncryption
sha512WithRSAEncryption
ecdsa-with-SHA256
ecdsa-with-SHA512
For instance, if you'd like to generate a self-signed certificate for development purposes that is signed with SHA256, you could use the following OpenSSL command:
openssl req \
-x509 \
-nodes \
-sha256 \
-days 365 \
-newkey rsa:2048 \
-outform DER \
-keyout example.com.private.key \
-out example.com.der
Insecure Example
Sample output for a certificate stored in certificate.pem
(encoded as OpenSSL's PEM format):
openssl x509 -in certificate.pem -inform PEM -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CA, ST=Canada, L=Montreal, O=Example Inc. Fast., CN=ca.example.com emailAddress=ca@example.com
Validity
Not Before: Jul 27 13:34:31 2002 GMT
Not After : Jul 26 13:34:31 2004 GMT
Issuer: C=CA, ST=Canada, L=Montreal, O=Example Inc. Fast., CN=server.example.com emailAddress=server@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:e4:e6:c1:f4:b9:59:6f:c6:81:c6:5f:cb:4b:4b:
b5:68:3c:2d:cf:bf:c6:5f:38:bb:e4:f2:16:0b:fa:
dc:ec:41:95:f6:c7:77:78:c8:a2:06:e7:4b:21:6c:
77:2f:48:97:d6:ee:df:4e:f1:4f:6a:43:bf:01:99:
2a:04:54:39:d9:68:0f:21:61:c4:5c:6b:67:49:77:
e0:85:80:75:ba:77:06:fd:b6:a7:c3:b8:06:0b:ac:
13:d3:00:eb:dc:18:ae:09:9d:fc:2e:43:28:b8:1c:
da:cb:3b:e3:2d:e0:60:8a:de:f3:24:92:81:0a:16:
8b:9f:aa:9a:1b:09:0c:3c:2f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Signature Algorithm: md5WithRSAEncryption
39:ef:00:3c:1b:2f:cd:c1:6e:3c:da:6a:b4:7b:d1:a9:46:b6:
f1:20:7b:fe:77:4b:f6:0e:bc:41:0d:63:1d:d1:f6:f9:37:83:
cf:93:d3:ec:3a:e2:5b:7e:70:7a:de:6f:7a:fb:ee:59:d7:e8:
f0:d3:ea:81:f1:09:00:a4:e7:c2:ec:3c:8d:7c:19:85:47:6a:
76:63:c7:ce:68:95:79:dd:c7:2a:39:5f:df:0c:51:2d:22:29:
93:c4:ed:90:1b:54:cf:27:10:7c:7c:bf:4a:32:18:9f:2e:02:
8a:cb:6f:c9:69:b3:e1:ef:e3:0d:98:1e:a3:22:80:54:84:05:
15:ff
Secure Example
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:cc:6b:17:6a:5e:8d:97:3e:74:db:eb:cf:dd:71:b0:80:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Dec 16 15:00:28 2020 GMT
Not After : Mar 16 15:00:28 2021 GMT
Subject: CN=helloworld.letsencrypt.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cb:eb:31:21:df:88:8f:cf:e3:88:ef:6a:e5:d9:
3f:e7:3e:40:b1:32:83:b4:7b:8c:80:9f:98:7e:76:
7f:56:7b:bb:94:49:72:2f:35:60:05:44:3e:c4:1d:
cf:f4:a4:98:70:e0:35:12:f2:5f:09:b7:59:e1:4b:
d9:e3:75:36:21:60:62:49:68:f2:7a:40:67:d1:f9:
72:2a:bc:73:ef:3b:12:c3:7e:a4:c3:11:9d:3a:bc:
15:ae:10:8e:fa:23:96:8d:f5:7e:44:aa:f5:27:a7:
aa:f8:93:d4:05:4d:60:b6:76:a4:0d:9c:35:9c:ef:
15:5e:8d:27:fc:8c:d0:32:0b:9d:8a:52:56:e8:1b:
99:dc:48:59:00:f4:4d:69:5c:f3:e8:ae:15:7b:86:
74:76:5b:b5:0b:25:7f:0c:80:a5:ad:64:e3:74:40:
5b:39:0a:9b:c3:9b:53:89:8e:cc:37:88:3d:86:16:
1f:12:c5:51:46:68:97:62:aa:c4:68:b0:63:7a:ef:
dc:20:25:ab:3d:e3:56:96:49:3e:d5:ed:99:d4:7c:
ce:f7:25:b1:3d:d6:2e:93:1d:fd:9d:24:71:1e:ad:
0c:29:a2:22:e2:5c:39:98:70:3d:b3:66:7a:f4:5f:
39:b6:e7:34:4e:4e:57:d7:d2:9b:00:df:19:a6:c8:
61:f3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
(.... truncated)
Signature Algorithm: sha256WithRSAEncryption
2f:b8:b5:1e:60:ad:a0:8c:e5:4d:2d:95:ca:f5:52:cf:29:e3:
28:40:e8:1c:82:50:47:d0:be:5e:f6:36:c4:ef:e9:78:d7:a5:
cb:6b:9f:85:d3:2d:32:8d:1a:9e:bd:79:79:5b:b3:b7:15:12:
66:ca:5d:fe:e2:da:8c:e8:5c:cf:2f:d7:a4:f3:38:71:5a:91:
3f:2e:91:fc:a1:b7:f7:e7:35:6a:3e:30:6b:b9:02:08:71:b7:
91:c5:21:32:f9:33:22:92:8f:ee:a7:6f:3d:9b:5b:9b:64:6e:
bc:8d:05:79:15:41:00:3f:4d:19:69:59:ad:a4:4d:c0:85:9d:
f4:f8:df:2d:7d:c4:ff:de:c7:64:3a:0c:06:11:39:44:c7:4e:
2b:50:fe:74:2c:e5:b4:fd:2e:01:85:ca:2f:f0:58:cf:b6:87:
95:d9:cb:33:2a:81:ab:89:38:7c:f2:3a:88:2e:34:0d:fa:ce:
d7:0d:06:dd:8a:f0:66:40:9f:60:d3:61:91:10:50:13:7c:81:
fa:27:39:8d:43:51:4c:a6:4c:93:4c:fe:ff:8d:64:a1:d1:93:
e4:9d:58:fa:a9:a3:e9:e1:17:34:da:70:05:3a:67:0f:c8:1c:
22:5c:42:c0:33:ef:d7:cb:e1:4d:f4:c4:05:dd:58:e9:28:76:
4a:13:93:19