SHA1-Based Signature in TLS/SSL Server X.509 Certificate
Certificates generated by a third party certification authority are more secure than self-signed certificates. High strength ciphers with key lengths equal to or greater than 112 bits are also more secure than ciphers with less than 112 bits.
GigaVUE‑OS supports TLS/SSL server X.509 certificates, including SHA2-256 and SHA2-512-based certificates, as well as SHA1-based certificates.
However, SHA1 has known weaknesses that expose it to collision attacks, which may allow an attacker to generate additional X.509 certificates with the same signature as the original.
Therefore, when a third party certificate is requested, SHA2-256 or SHA2-512 should be requested as the signature algorithm, and not SHA1.
To obtain a third party certificate, on Linux or Linux app (such as Cygwin), generate a private key as follows:
openssl req -new -key privkey.pem -out cert.csr |
The file, cacert.pem, will be sent to a third party certification authority, which will generate a certificate.
The ciphers supported with TLS v1.0, 1.1, and 1.2 are listed in Table 1: Supported Ciphers with TLS v1.0 and v1.1 and Table 2: Supported Ciphers with TLS v1.2..
Modern Ciphers |
Classical Ciphers |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) |
|
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) |
|
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) |
|
The ciphers supported with TLS v1.2 are listed in the following table.
Authenticated Encryption with Additional Data (AEAD) Ciphers |
SHA-2 Ciphers |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14) |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13) |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) |
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc15) |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) |
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) |
|