2 Replies Latest reply on Oct 27, 2014 7:11 AM by a.dalton

    SHA-1, SHA-2 (Google Chrome and Microsoft IE) and POODLE Issue

    a.dalton

      Greetings everyone,

       

      We are running MEG 7.6.2 on-box quarantine (no MQM)

      We currently have SHA-1 SSL certificate from a third party (entrust.com).

      End users access the box to release their email quarantine over the web.

       

      Is MEG 7.6.2 compatibly with SHA-2? In another words, if I upgrade my SHA-1 SSL certificate to SHA-2 and import to the boxes would it work without any problem? Is the process of generate/import the SSL SHA2 the same as SHA-1 on the MEG?

       

      Also we are concerned about the new exploit POODLE. Do you guys know how to avoid problems with POODLE attack? - (what a lame name!!! somebody should change the name from POODLE to SHARK attack )

       

      Thanks in advance

        • 1. Re: SHA-1, SHA-2 (Google Chrome and Microsoft IE) and POODLE Issue
          Ryan Brady

          Here is the information about POODLE for all McAfee Products - https://kc.mcafee.com/agent/index?page=content&id=SB10090

           

          As for the SHA2 - We’ll have no problems verifying a certificate signature that uses SHA-256 or better as the hashing algorithm.

          • 2. Re: SHA-1, SHA-2 (Google Chrome and Microsoft IE) and POODLE Issue
            a.dalton

            Hi Ryan,

            I've got the following from McAfee support.

            I am going to test it on the next couple of days.

            Hope it helps

             

            ++++++++++++++++++++++++++++++++

            Currently the McAfee Email Gateway (MEG) only allows SHA-1 from the management console. On the command line the current version of openssl (1.0.1e-fips) actually defaults to using SHA-2 for signing requests.

            Log on via SSH on the backend of the appliance.

            1. First create a private key with the filename of privatekey.pem

             

            For 7.0.x

             

            openssl genrsa -out privatekey.pem 2048

             

            For 7.5.x/7.6.x

             

            openssl genpkey -algorithm RSA -out privatekey.pem -pkeyopt rsa_keygen_bits:2048

             

            2. Use the private key to create a CSR with the filename of sha256.csr

            Note: It would probably be best to limit it to sha256

             

            openssl req -new -sha256 -nodes -key privatekey.pem -out sha256.csr

             

            3. To verify, you can run this command

             

            $ openssl req -noout -text -in sha256.csr | grep -E "Signature|Public-Key"

             

            Public-Key: (2048 bit)

            Signature Algorithm: sha256WithRSAEncryption

             

            You are specifically looking for the line “Signature Algorithm: sha256Wit

            ++++++++++++++++++++++++++++++