So it’s been noted in a few places that 2017 is the year that SHA1 for HTTPS is doomed. Microsoft has deprecated SHA1 in Edge and Internet Explorer browsers and in February 2017 will be blocking them entirely. Google is doing the same thing with Chrome starting January 2017, as is Firefox.

Most sites today don’t use SHA1-based SSL certificates (which is good) and there are sites you can go to in order to easily check if your public web site is using one, such as, but what about internal services? You can’t really point an external web site to an internal resource.

There are a few sites out there that explain how to do it, but as I had to poke at a few things internally myself I figured it was worth sharing the simple script I wrote to check. Cut-n-paste the following into something like and run it. It will tell you if you’re using a SHA1-based certificate or, if not, tell you what is used (hopefully “sha256WithRSAEncryption”):



if [ -n "${2}" ]; then

algo="$(openssl s_client -connect ${site}:${port} /dev/null | openssl x509 -text -in /dev/stdin | grep 'Signature Algorithm')"

if [ "${algo}" == "" ]; then
    echo "Unable to load certificate!  Invalid hostname (${site}) or port (${port})"
    exit 1

if [ "$(echo ${algo} | grep -q sha1; echo $?)" == "0" ]; then
    echo "Vulnerable, using SHA1"
    echo "Not vulnerable"
    echo "${algo}"

It’s easy enough to run:

$ sh 443
Not vulnerable
    Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

Probably not perfect (it seems to wig out with the version of openssl provided with macOS unless you’re using a version supplied with Fink, but it works well on Linux). Now is probably a good time to check this stuff out before you end up locked out of some essential web services come January.

Share on: TwitterLinkedIn

Related Posts





Stay in touch