SSL Certificate Signed Using Weak Hashing Algorithm

- February 29, 2024 at 6:44 pm
  
  Koontzja
  Subscriber
  
  We run a network license server in our environment, and our security scans are yelling about "SSL Certificate signed using weak hashing algorithm". The recommended solution is "Contact the Certificate Authority to have the SSL certificate reissued". My question is, is this something I need to obtain from Ansys or something I need to generate on my end? I am happy to provide any additional details if they are needed.
  
  Thank you
- March 1, 2024 at 12:24 pm
  
  Rajeshwari Jadhav
  Ansys Employee
  
  Hi Koontzja,
  Can you please inform me Ansys product version? Also, can you provide more information to understand the issue better?
  - April 8, 2024 at 1:43 pm
    
    Koontzja
    Subscriber
    
    Running Ansys License Manager 2024 R1. Here is some more information from the ticket I received: "Vulnerability.Description Details
    The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
    
    Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
    
    Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
    Vulnerability.Solution Type
    Contact the Certificate Authority to have the SSL certificate reissued.
    Vulnerability.Summary
    An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
    Vulnerability.Detection (This is not the full certificate just a portion since it is being posted on a forum)
    The following certificates were part of the certificate chain sent bythe remote host, but contain hashes that are considered to be weak.Subject : O='ANSYS Inc'/C=US/ST=PA/L=Canonsburg/CN='ANSYS Licensing Authority Certificate'Signature Algorithm : SHA-1 With RSA EncryptionValid From : Oct 22 10:08:06 2008 GMTValid To : Oct 10 10:08:06 2058 GMTRaw PEM certificate : -----BEGIN CERTIFICATE-----MIIDSzCCArSgAwIBAgIJAOUPCPOTnxfzMA0GCSqGSIb3DQEBBQUAMHcxFDASBgNVBAoTCydBTlNZUyBJbmMnMQswCQYDVQQGEwJVUzELMAkGA1UECBMCUEExEzARBgNVBAcTCkNhbm9uc2J1cmcxMDAuBgNVBAMTJydBTlNZUyBMaWNlbnNpbmcgQXV0aG9yaXR5IENlcnRpZmljYXRlJzAgFw0wODEwMjIxMDA4MDZaGA8yMDU4MTAxMDEwMDgwNlowdzEUMBIGA1UEChMLJ0FOU1lTIEluYycxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJQQTETM"
    
    Essentially it's stating I need the SSL certificate that was initially issued, and reissued for the server. It looks like something that was generated on your alls end, but please correct me if I am wrong. If I can provide any other information please let me know.
    
    Thank you!
- May 7, 2024 at 3:45 pm
  
  George Ridge
  Subscriber
  
  Has there been any update to this question anywhere - asking as our security team has flagged up the same issue.
  Thanks
  - May 16, 2024 at 7:12 pm
    
    Koontzja
    Subscriber
    
    No update on this yet
- May 13, 2024 at 6:44 am
  
  dry firewood
  Subscriber
  
  Friday Night Funkin is an incredibly tense and exciting music and rhythm game.