-
Notifications
You must be signed in to change notification settings - Fork 424
PKI (D)TLS SHA security
mrdeep1 edited this page May 13, 2021
·
1 revision
The latest TLS libraries are not accepting PKI Certificates that have the strength of SHA1 as it is deemed to be unsafe - the strength has to be a minimum of SHA256.
The consequence of this is that libcoap may not accept a provided certificate. The TLS library reported error may not be that helpful in diagnosing this SHA256 requirement issue.
When using OpenSSL to request a new PKI set, the -sha256 option is required. Note that if the signing CA is only SHA1, then the result of the Certificate Request may not end up as SHA256.
To check the SHA type of a certificate
openssl x509 -in your_cert.pem -text | grep -i SHA