SHA1 and SHA2

Christian Stredicke
CEO of Vodia Networks

Every year just before Christmas we need to update our certificate on the web site with a new one. Those who are running a web site know what I am talking about. We are using Godaddy; their service allows it to continue to use the CSR from last year which I find very convenient. Just click on "give me a new certificate" and copy and paste it into the certificate file, restart the HTTP daemon and move on with today's to-do list.

This year was different though.

I remembered that we have added support for the SHA-256 algorithm some time ago, and I though it would be a good time to give our web site an upgrade, too. So I copied the new certificate and tried out in Chrome; everything looking good.

However soon I got reports that license activation did not work any more. I had almost forgotten about the certificate thing already, when it dawned upon me that the two problems might be related. At the end of the day, the license server is using the same certificate and the same setup. A quick try with my own PBX showed that there is really a problem. The certificate did got get accepted. Panic started to set in!

Going back to Godaddy I saw the possibility to re-issue the certificate with SHA-1. Well a little bit less secure, but looking at the deadline at least a temporary solution. But when navigating to I panicked again, Chrome would not show that green lock because it is using just SHA-1.

Trying to get an overview on the magnitude of the problem I tried other sites as well. Google worked, Amazon worked, but some smaller web sites gave problems. The SHA-2 has was completely in the woods. Do we have a problem in the software? It would be a major problem as there are only a few days on the old certificate...

A couple of hours later I got desperate and moved to SHA-2 again. This time I also copied also the certificate chain over again, and now suddenly things started to work again. Stupid me! I had forgotten to include the chain.

Obviously I was not the only one out there.

On a second thought, why would it work then? Why would the browser give me a green light if the cert chain was not okay??? I can only guess. Probably I was not the only one missing the certificate chain in my attempt to keep the certificate up to date, there are possibly millions of sites around the world that had similar problems. It does not make things more insecure by taking the correct chain. Those well know issuers are probably embedded in the browser, and if you keep your browser up to date, you get those little patches as well.

But the PBX is not so smart. It just takes the chain as it is presented, and it could not link the pieces together. As more and more secure services are shutting off SHA-1 and insist on SHA-2 it is important that the PBX supports that. If your email notifications from the PBX stops working, it is probably because of that.