Highlighted
jchipman
New Member.
2549 views

SHA2 algorithm

Does anyone know if Novell is planning to include / adopt sha2 for ZCM certificates?

If we want sha2, will it require a external certificate (please say no).
Labels (2)
0 Likes
12 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SHA2 algorithm

Jchipman,
> Does anyone know if Novell is planning to include / adopt sha2 for ZCM
> certificates?


Since OpenSSL supports SHA2, I see no reason why not, but let me ask
Novell.

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SHA2 algorithm

From Novell:

If you want to use an Internal CA, they are SHA1.

Please post to the Ideas Portal for Support for Internal SHA2.

There would not really be any supported processes at this time.

However, ZCM 11.4 Supports up to 4096 Byte SHA1 Certs if cracking is
really a concern.

There will be major Cert work going on for ZCM 2016, so it might happen
if enough people ask for it.

--
Anders Gustafsson (NKP)
The Aaland Islands (N60 E20)

Have an idea for a product enhancement? Please visit:
http://www.novell.com/rms

0 Likes
djbrightman1 Absent Member.
Absent Member.

Re: SHA2 algorithm

I don't think cracking is the concern, more that SHA-1 will be deprecated.
Whilst this may not effect ZCM agent to ZCM server comms it will effect things such as ZCC access.

Chrome and Firefox are jumping the gun and already warning about SHA-1 certs.

From MS perspective:
>>
SSL Certificates

For SSL certificates, Windows will stop accepting SHA1 end-entity certificates by 1 January 2017. This means any time valid SHA1 SSL certificates must be replaced with a SHA2 equivalent by 1 January 2017.
<<http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

The effect of what "Windows will stop accepting SHA1 end-entity certificates" is not really clear... (at least to me! 😉

We're considering a move to use our internal AD CS CA, which we recently updated to use SHA256.... (Question about this to follow! 😉

(Novell strike that...) MicroFocus(!!) have recently issued a good TID on "Configuring eDirectory to mint certificates with a SHA-2 signature".
I think we'll need something from them soon on ZENworks and what will and won't work with existing internal CA's and what recommended steps are...

Cheers
David
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SHA2 algorithm

The Best place to post the suggestion is at https://ideas.microfocus.com/mfi/novell-zcm
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SHA2 algorithm

Note: Your 2017 Date is WAY off....
From your LINK....

Update: For code signing certificates, Windows 7 and later versions will stop accepting code signed with SHA-1 certificates without timestamps that were made prior to January 1, 2016. This enforcement will be performed only in user mode using the framework that Windows has for blocking weak cryptographic algorithms. Code signed with SHA-1 certificates that are time stamped before 1 January, 2016 will be accepted until 14 January 2020 (when Server 2008 extended support ends),

So in short.....At most you may have to Update Your Certs but not CA before 2020................
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
djbrightman1 Absent Member.
Absent Member.

Re: SHA2 algorithm

OK... Possibly... I'm afraid I don't understand enough about how ZCM utilises certs and how this interacts with Windows mechanisms to trust all will be well. Probably content delivery, possibly remote management but what about browsers and zcc access...? I'm sure Firefox won't support it, so it will probably have to be IE11 and may well involve changing a global setting that will weaken security... I just don't know.

I really would like to see an official statement from MicroFocus as to what will and won't be affected.
SHA1 deprecation is happening, and not planning for it is poor management. We need solid, fact based information to make the required decisions.

Just my thoughts... don't shot! 😉

Cheers
David
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SHA2 algorithm

Hard to say what some browsers will break....I know FireFox broke all Active Directory CA Certs for a while....took them MONTHS to fix it and actually they kept breaking it more 🙂
For a while they blocked all CAs that were not included by Default with Windows such as Verisign unless you specially configured FireFox to allow user's to trust their own Private CAs such ad AD, eDir, etc....
Then they even took that away.......
After 3-4 months maybe more they finally relented and started allowing 3rd party CAs again.

MicroFocus cannot make any statement about what Microsoft or other 3rd Parties will break.
At this point, Microsoft has pushed SHA-1 support through 2020.

ZCM has tools to update CAs quickly if it ever became an actual issue, but when looking that far into the future lots of things could change, such as when MS broke most of it's own Certs since it defaulted to 512 Certs for years unlike eDir's 2048 and when MS deprecated 512 byte certs via a Hotfix a huge number of people broke.

Who knows what requirements for certs and stuff will be in the future....Maybe we will need 4096 byte certs with the leaps in computing power....
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SHA2 algorithm

Just realized that ZCM 11.4 does SHA256.................
Not sure why I did not realize this, just noticed when working on a Cert issue........

So if you Upgrade to 11.4 and CAREFULLY upgrade your CA you will get a SHA256 CA and Certs
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
davearre Absent Member.
Absent Member.

Re: SHA2 algorithm

CRAIGDWILSON;2409408 wrote:
Just realized that ZCM 11.4 does SHA256.................
Not sure why I did not realize this, just noticed when working on a Cert issue........

So if you Upgrade to 11.4 and CAREFULLY upgrade your CA you will get a SHA256 CA and Certs


Craig,
I discovered MS released a Windows Update in June that will block SHA1 SSL traffic as if it is firewalled. Zenworks agent 11.3.x cannot login and you cannot even pull up the web page of the Zenworks server on IE, as if it is not there. I've upgraded to Zen 11.4.2 but the certificate is still SHA1. Can you ask Novell to write up a TID on how to remint the server and/or the CA certificate so that they can be upgraded to SHA256? I am stuck not being able to do Windows Updates until we can complete the certificate change.

Thanks
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SHA2 algorithm

Actually MS did not block SHA1 Traffic.
The MS Patch was actually released last August.
They simply added the Critical Security Update to the Roll-Up Patches.

Here is the patch you need -
https://www.novell.com/support/kb/doc.php?id=7016807

This has to do with a CIPHER Break not a SHA1/SHA2 issues.

You really really don't want to do it, but to move to SHA2 you need to remint your CA.
Not recommended and not your issue and existing SHA1 CA Certs are not being eliminated any time soon by any vendor.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
davearre Absent Member.
Absent Member.

Re: SHA2 algorithm

Hi, Craig,

Thank you very much for this information! We had this problem on an RDS server I ran Windows updates on while we were on 11.3.x. I worked around it by uninstalling the MS Update. Since then I updated our Zenworks server to 11.4.2. I was going to remint the CA believing it was a SHA1 issue - (when I installed a fresh Zenworks 11.4.2 in another location the certificate was SHA256) but after your message I re-applied all Windows updates to the RDS server now with client 11.4.2 and it is working properly!

Glad to know I do not have to remint for several years!

Thanks again!

CRAIGDWILSON;2435010 wrote:
Actually MS did not block SHA1 Traffic.
The MS Patch was actually released last August.
They simply added the Critical Security Update to the Roll-Up Patches.

Here is the patch you need -
https://www.novell.com/support/kb/doc.php?id=7016807

This has to do with a CIPHER Break not a SHA1/SHA2 issues.

You really really don't want to do it, but to move to SHA2 you need to remint your CA.
Not recommended and not your issue and existing SHA1 CA Certs are not being eliminated any time soon by any vendor.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.