0

I'm working with a windows desktop app written in C++ with MFC libraries to create web requests. The web requests are succeeding on over 90% of our customers' machines - from Windows XP through 10.

10% of our customers' machines are failing saying that SHA-1 is a weak signature algorithm and the app fails to connect.

I have no control over changing the SHA-1 certificate on the server to a more robust certificate and I have verified that when the app fails, it is because it is rejecting the certificate.

Is this an IE/Security/Network setting? I know that I can change my code to ignore the Invalid Certificate, but that would undermine the quality of security in my application. I don't want to do that.

Anyone have any suggestions for our customers' on how they can change their internet settings or something else that we can do to make our app work?

Thanks in advance.

kmehta
  • 2,457
  • 6
  • 31
  • 37
  • 1
    This sucks! http://windowsitpro.com/security/your-organization-using-sha-1-ssl-certificates . You could consider replacing the normal PKI signature checking with a certificate pinning check. However, be aware that in the long term, the server is going to have to upgrade to SHA2 certificates or else there will be security consequences. – TheGreatContini Feb 16 '16 at 22:11
  • 1
    *I have no control over changing the SHA-1 certificate on the server to a more robust certificate and I have verified that when the app fails, it is because it is rejecting the certificate.* You need to **get** control. SHA-1 certificates are being deprecated: https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know If you do not replace the certificates with more secure ones, more and more of your customers are going to have problems connecting. Or you can try to convince your customers that your application requires them to compromise their security. – Andrew Henle Feb 17 '16 at 12:41
  • Thanks guys, this is much appreciated. This is what I believed/feared. I wanted to check with the SO community if there was ANY secure way around this before I break it to the client that upgrading the server is the only answer. – kmehta Feb 17 '16 at 14:25

1 Answers1

0

We found the problem on select client machines. Some machines had an old certificate that was downloaded to their certificate store. The cert was likely downloaded in the past when the old, expired certificate was invalid. For some reason, those machines decide to use the downloaded certificate instead of the new one on the server with a valid expiration date. Deleting the old certificate fixed the problem.

Based on comments to my question, I have realized that SHA-1 will be officially deprecated by Google and Microsoft on Jan 2017. My understanding is that the server will need to be updated before that time in order for the certificate to using a valid signature. Until then, we do see a warning that the server is using a weak signature (SHA-1), but it does not deny the request altogether.

HTH

kmehta
  • 2,457
  • 6
  • 31
  • 37