SHA2-Based Signature in TLS/SSL Server X.509 Certificate

Certificates generated by a third party certification authority are more secure than self-signed certificates. High strength ciphers with key lengths equal to or greater than 112 bits are also more secure than ciphers with less than 112 bits.

GigaVUE‑OS supports TLS/SSL server X.509 certificates, including SHA2-256 and SHA2-512-based certificates, as well as SHA1-based certificates.

However, SHA1 has known weaknesses that expose it to collision attacks, which may allow an attacker to generate additional X.509 certificates with the same signature as the original.

Therefore, when a third party certificate is requested, SHA2-256 or SHA2-512 should be requested as the signature algorithm, and not SHA1.

To obtain a third party certificate, on Linux or Linux app (such as Cygwin), generate a private key as follows:

■   openssl req -new -key privkey.pem -out cert.csr

The file, cert.csr, will be sent to a third party certification authority, which will generate a certificate.

The ciphers supported with TLS v1.2 are listed in the following table.

Table 1: Supported Ciphers with TLS v1.2.

Authenticated Encryption with Additional Data (AEAD) Ciphers

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)