John Public

Some (exotic) signing algos not correctly identified

Discussion created by John Public on Nov 3, 2014
Latest reply on Nov 5, 2014 by John Public

Hi all,

     I noticed that when using SHA1withDSA, SSL Test doesn't pick up SHA1 as being weak. I understand that this is a requirement of the original DSS, but I don't believe that 1024 bits is effective enough anyways and I know the new standard is SHA2 with 1024-3072-bit keys. I also noticed that MD5 is incorrectly called "SHA1" in the warning taglines, when it should be a red "insecure" tagline. I'd be willing that similar behavior would occur with SHA-0 and other obscure signing algorithms.

Outcomes