Comments (1)
dcooper16
commented on June 8, 2024
What does this check actually represent and where does the server use those offered sig_algs? Is it really concerning, when RSA+SHA1 is offered? How can this be disabled (where is this setting located - server/client)?
When using a cipher suite that offers forward secrecy, the server authenticates itself by signing some data. The client indicates which signature algorithms it is willing to accept and the server selects one based on what it is willing to use. "TLS 1.2 sig_algs offered" lists the signature algorithms that the server is willing to use with TLS 1.2.
If a client indicates that it will not accept signatures that use SHA-1, then the server cannot use SHA-1. However, the above check is only testing the server, so it can only be disabled by configuring the server to be unwilling to use SHA-1. How that is done would depend on what server you are using.
In the below example, is the offered RSA+SHA1 security concerning?
See https://www.rfc-editor.org/rfc/rfc9155.html and the paper that it references (https://doi.org/10.14722/ndss.2016.23418).
from testssl.sh.
Related Issues (20)
- [BUG / possible BUG] ./testssl.sh: line 8757: 2+: syntax error: operand expected (error token is "+") HOT 2
- [BUG / possible BUG] Fatal error: URI comes last HOT 2
- Censys changing their ToS. Links affected? HOT 1
- [Feature] HTML report add option to report like on terminal (dark) HOT 3
- question of cert_chain_of_trust HOT 1
- [BUG] HSTS header parsing does not accept spaces between directives
- [BUG] MongoDB identification HOT 2
- [BUG] Secure client initiated renegotiation timing bug HOT 3
- Anybody know github.com/testssl ? HOT 1
- Your account github.com/testssl
- [Feature request] query + show HTTPS DNS record (RFC 9460) HOT 4
- [Feature request] DNS CAA records: support checking for Extensions for Account URI and ACME Method Binding (RFC 8657) HOT 2
- [Feature request] Test Ciphers against Curvces
- [Feature request] Change DH_groups finding delimiter
- [Feature request] Verify support for long CilentHello messages HOT 4
- Issue Severity List HOT 1
- Why is RSA+SHA1 in the "TLS 1.2 sig.algs offered" list HOT 3
- Warnings cannot be turned off for batch testing HOT 8
- [BUG] Inconsistent bold in report HOT 2
- [BUG] Incorrectly showing TLS 1.0 and 1.1 as offered HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from testssl.sh.