1

I have a web service that is currently being used by a variety of old .Net and Java clients using TLS1.0/SSl3 protocols using a SHA1 certificate.

If I were to change the certificate to be SHA2 would these clients still work ?

I am changing no other configurations on the server (i.e. not disabling TLS1 /SS3).

I will overtime when I can get the clients to upgrade to use TLS1.2.

ady
  • 23
  • 2
  • See https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/ for details on SSL/TLS versions on Windows. Note that the main table only shows what versions are supported, not which versions are enabled! – Robert Oct 21 '16 at 14:03
  • Compatibility list of SHA-2 certificates can be found here: https://support.globalsign.com/customer/portal/articles/1499561-sha-256-compatibility – Robert Oct 21 '16 at 14:05

1 Answers1

0

.NET supports SHA2 since 1.1 (see What's the state of support for SHA-2 in various platforms?)

Java supports SHA2 since 1.4.2. (see https://www.entrust.com/should-you-use-sha-2/)

If you have access to these clients, and if they can connect to a different URL that uses a SHA2 certificate, you should be good. Give the users/ maintainers of these clients a date when you will be migrating your service to use a SHA2 certificate so that they can test it themselves.

Anand Bhat
  • 5,591
  • 26
  • 30
  • I don't have access to the clients so I cannot control when they will upgrade. However my SHA1 certificate runs out soon so I just wanted a heads up as to if the clients will continue to work against a new SHA2 certificate. i.e. the SHA2 certificate is backwards compatible with SSL3 and TLS1.0. – ady Oct 21 '16 at 13:57
  • @ady: The signature algorithm of the certificate is unrelated to the SSL/TLS protocol version. This means there might be clients which can do TLS 1.0 but cannot do SHA-2 signed certificates. – Steffen Ullrich Oct 21 '16 at 13:59
  • If a platform supports SHA2 this does not necessarily means it supports it in SSL/TLS. E.g. AFAIK on Windows the SSL implementation is part of the OS and not of .Net. – Robert Oct 21 '16 at 13:59