FS#42778 - Update website SSL certificates with sha2 certificates

Attached to Project: Arch Linux
Opened by Dolores (meskarune) - Thursday, 13 November 2014, 18:20 GMT
Last edited by Florian Pritz (bluewind) - Tuesday, 22 March 2016, 13:31 GMT
Task Type Bug Report
Category Web Sites
Status Closed
Assigned To Aaron Griffin (phrakture)
Architecture All
Severity Low
Priority Low
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description: update the archlinux.org SSL certificates to use sha2 instead of sha1.


Additional info:
* sha1 is a weak algorithm that will be crackable in the next few years
* chrome browser will be flagging sites with sha1 certificates
* http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html


Steps to reproduce:

https://shaaaaaaaaaaaaa.com/check/archlinux.org
This task depends upon

Closed by  Florian Pritz (bluewind)
Tuesday, 22 March 2016, 13:31 GMT
Reason for closing:  Fixed
Comment by Levente Polyak (anthraxx) - Thursday, 13 November 2014, 19:02 GMT
i would appreciate that *thumbs* :)
if its from interest, here is a bit more tech related writeup to this topic from Adam Langley: https://www.imperialviolet.org/2014/05/14/sha256.html
Comment by Florian Pritz (bluewind) - Friday, 14 November 2014, 00:28 GMT
Apparently it's possible to trick the startssl webui into giving you a new cert if you add another unused
domain to the list. No idea if that works for wildcard certs though, but it might be worth a try.
https://kuix.de/blog/index.php?entry=SSL/TLS-servers,-SHA-1/SHA-256-and-StartSSL.com-certificates

I'm also reassigning this to aaron since he handles the certs.
Comment by Dolores (meskarune) - Monday, 24 November 2014, 20:28 GMT
Global Sign gives free SSL certificates to Open Source projects. I'm pretty sure Arch Linux would qualify.

Link: https://www.globalsign.com/ssl/ssl-open-source/
Comment by Florian Pritz (bluewind) - Tuesday, 22 March 2016, 13:31 GMT
We've switch to let's encrypt now so this has been fixed.

Loading...