Jump to content


Photo

SHA-1

cert certificate SSL TLS SHA SHA-1 https

  • Please log in to reply
3 replies to this topic

#1 Jaybone

Jaybone
  • Members
  • 120 posts

Posted 29 July 2016 - 12:03 PM

After upgrading our unit to 8.0.0.002, I generated a new self-signed cert from Advanced/Secure Administration.  My hope was that it'd use a modern algorithm, but it still wants to use SHA-1.

 

Is there a way/are there plans to enable a way to use SHA-256 with a self-signed cert?

 

As browser providers drop support for SHA-1, I'm concerned that we'll lose the ability to manage our device without having to resort to using alternate, older browser versions, which kind of defeats the purpose of having something be web-managed in the first place.

 

 



#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 401 posts

Posted 29 July 2016 - 12:07 PM

If you want a modern "real" certificate you will need to go through a certificate authority and purchase one.

Using the old Barracuda Self Signed cert is just for basic testing only and should not be relied on for security

Self signed certificates are not secure and are easily broken making your secure connection very unsecure.

Purchasing a certificate is inexpensive and provides you with a secure connection.

 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#3 Jaybone

Jaybone
  • Members
  • 120 posts

Posted 29 July 2016 - 12:13 PM

If you want a modern "real" certificate you will need to go through a certificate authority and purchase one.

Using the old Barracuda Self Signed cert is just for basic testing only and should not be relied on for security

Self signed certificates are not secure and are easily broken making your secure connection very unsecure.

Purchasing a certificate is inexpensive and provides you with a secure connection.

 

 

...and convincing management that we should spend money to properly secure the management interface of something else already pay a yearly subscription for?  Not going to happen.

 

LetsEncrypt would be a viable alternative, but having to manually mess with certs every few months is more of a hassle than anyone has time for.



#4 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 29 July 2016 - 12:21 PM

If you want to use the Barracuda to generate the SHA256, then you will need to contact support to change this on the backend until we get it done in the firmware

 

To add to Exners point, if you go and generate a "Private" certificate, you will FAIL any security scan.. this is where real certificates come in play... If the barracuda is hosted on an internal PKI, then this could satisfy you're internal scans.

 

Regarding cost efficiency.. you get what you pay for ... Money should be justifiable when it comes down to the security of your business.. and Certificate provides now provide "Extended validation certificates" that can last 3-5 years to shorten up administrative tasks. 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com