Obsolete Cipher Suite Message

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

I don't think it is an SHA issue.

Yes it is, especially because of how fast you can actually collide in SHA-1. Consider, though, MD5 support for certificates wasn't even broadly removed until about 17 years after it was first found to be weak, I think Google just wants to speed things up. Me personally, I think we should all use SHA-512 (a part of SHA-2), it's what I use for everything I can. 256 will do though

BRRABill

@tonyshowoff

Is HMAC-SHA1 the same as SHA1?

tonyshowoff

@BRRABill No, and it's more secure than SHA-1, so long as the key is safe. The SHA1 part of HMAC-SHA1 refers to how it's calculated.

BRRABill

@tonyshowoff said in Obsolete Cipher Suite Message:

@BRRABill No, and it's more secure than SHA-1, so long as the key is safe.

The reason I asked because https://www.microsoft.com (for example) is using HMAC-SHA1.

Hence why I said it isn't a SHA-1 issue causing this, at least on that site, and others.

Or am I mistaken there?

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

@tonyshowoff said in Obsolete Cipher Suite Message:

@BRRABill No, and it's more secure than SHA-1, so long as the key is safe.

The reason I asked because https://www.microsoft.com (for example) is using HMAC-SHA1.

Hence why I said it isn't a SHA-1 issue causing this, at least on that site, and others.

Or am I mistaken there?

In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)

BRRABill

@tonyshowoff said

In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)

This is what I am seeing...

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

@tonyshowoff said

In this case there really is no difference as confusing as that is, but I don't see SHA-1 there, instead SHA-2 (256)

This is what I am seeing...

That's SHA-2 (TLS 1.2 uses this), message authentication is a different aspect of it, in the simplest terms, it's to avoid corrupt messages.

BRRABill

So in my original post, what is Chrome having an issue with?

tonyshowoff

@BRRABill said in Obsolete Cipher Suite Message:

So in my original post, what is Chrome having an issue with?

In TLS 1.2 if it's not using the ECDHE with GCM it is obsolete according to Chrome. If the signature, however, uses SHA-1, Chrome I don't even think will just accept it without going red or whatever. I think that's where some confusion comes from, the cipher of the protocol itself versus the signature of the certificate.

BRRABill

So the net net here is that it is probably OK, but should be upgraded if possible?

tonyshowoff

@BRRABill Yes

BRRABill

Now THIS is the kind of chatter this thread deserved, LOL.