[Pkg-openssl-devel] Bug#912604: Bug#912604: libssl1.1: libssl version 1.1.1 breaks burp backup buster clients with stretch server
Kurt Roeckx
kurt at roeckx.be
Thu Nov 1 21:17:18 GMT 2018
On Thu, Nov 01, 2018 at 09:52:12PM +0100, Sebastian Andrzej Siewior wrote:
> |$ openssl x509 -in 912604.cert -text | grep Signature
> | Signature Algorithm: sha1WithRSAEncryption
> | Signature Algorithm: sha1WithRSAEncryption
>
> The point is that your server certificate is signed with SHA1 while
> the minimum is SHA256. Please note that all publicly issued certificates
> are signed with SHA256 these days.
>
> I would suggest a *note* in burp to notify users of burp which created
> self-signed certificates with pre-Buster machines that they might need
> to recreate their certificate if it is sigend with SHA1. Thus
> resssigning to burp.
> I just tried the Buster version of burp and myClient.crt, myServer.crt
> and CA_myCA.crt is signed with SHA256. I would assume that the script
> does not set the signing method and the default is used which changed.
As far as I know, the default in stretch should also use sha256,
most likely those certificates are older.
Kurt
More information about the Pkg-openssl-devel
mailing list