cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SHA-1, SHA-2 (Google Chrome and Microsoft IE) and POODLE Issue

Greetings everyone,

We are running MEG 7.6.2 on-box quarantine (no MQM)

We currently have SHA-1 SSL certificate from a third party (entrust.com).

End users access the box to release their email quarantine over the web.

Is MEG 7.6.2 compatibly with SHA-2? In another words, if I upgrade my SHA-1 SSL certificate to SHA-2 and import to the boxes would it work without any problem? Is the process of generate/import the SSL SHA2 the same as SHA-1 on the MEG?

Also we are concerned about the new exploit POODLE. Do you guys know how to avoid problems with POODLE attack? - (what a lame name!!! somebody should change the name from POODLE to SHARK attack )

Thanks in advance

2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: SHA-1, SHA-2 (Google Chrome and Microsoft IE) and POODLE Issue

Here is the information about POODLE for all McAfee Products - https://kc.mcafee.com/agent/index?page=content&id=SB10090

As for the SHA2 - We’ll have no problems verifying a certificate signature that uses SHA-256 or better as the hashing algorithm.

Was my reply helpful?

If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Highlighted

Re: SHA-1, SHA-2 (Google Chrome and Microsoft IE) and POODLE Issue

Hi Ryan,

I've got the following from McAfee support.

I am going to test it on the next couple of days.

Hope it helps

++++++++++++++++++++++++++++++++

Currently the McAfee Email Gateway (MEG) only allows SHA-1 from the management console. On the command line the current version of openssl (1.0.1e-fips) actually defaults to using SHA-2 for signing requests.

Log on via SSH on the backend of the appliance.

1. First create a private key with the filename of privatekey.pem

For 7.0.x

openssl genrsa -out privatekey.pem 2048

For 7.5.x/7.6.x

openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048

2. Use the private key to create a CSR with the filename of sha256.csr

Note: It would probably be best to limit it to sha256

openssl req -new -sha256 -nodes -key privatekey.pem -out sha256.csr

3. To verify, you can run this command

$ openssl req -noout -text -in sha256.csr | grep -E "Signature|Public-Key"

Public-Key: (2048 bit)

Signature Algorithm: sha256WithRSAEncryption

You are specifically looking for the line “Signature Algorithm: sha256Wit

++++++++++++++++++++++++++++++

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community