So it’s been noted in a few places that 2017 is the year that SHA1 for HTTPS is doomed. Microsoft has deprecated SHA1 in Edge and Internet Explorer browsers and in February 2017 will be blocking them entirely. Google is doing the same thing with Chrome starting January 2017, as is Firefox.
Most sites today don’t use SHA1-based SSL certificates (which is good) and there are sites you can go to in order to easily check if your public web site is using one, such as shaaaaaaaaaaaaa.com, but what about internal services? You can’t really point an external web site to an internal resource.
There are a few sites out there that explain how to do it, but as I had to poke at a few things internally myself I figured it was worth sharing the simple script I wrote to check. Cut-n-paste the following into something like sha1checker.sh and run it. It will tell you if you’re using a SHA1-based certificate or, if not, tell you what is used (hopefully “sha256WithRSAEncryption”):
#!/bin/sh
site="${1}"
if [ -n "${2}" ]; then
port="${2}"
else
port="443"
fi
algo="$(openssl s_client -connect ${site}:${port} /dev/null | openssl x509 -text -in /dev/stdin | grep 'Signature Algorithm')"
if [ "${algo}" == "" ]; then
echo "Unable to load certificate! Invalid hostname (${site}) or port (${port})"
exit 1
fi
if [ "$(echo ${algo} | grep -q sha1; echo $?)" == "0" ]; then
echo "Vulnerable, using SHA1"
else
echo "Not vulnerable"
echo "${algo}"
fi
It’s easy enough to run:
$ sh sha1checker.sh annvix.com 443
Not vulnerable
Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption
Probably not perfect (it seems to wig out with the version of openssl provided with macOS unless you’re using a version supplied with Fink, but it works well on Linux). Now is probably a good time to check this stuff out before you end up locked out of some essential web services come January.