Hi Jason,
Thanks for the valuable info.
I have seen with an application running in TRP, the certificate chain we have deployed is a combination of SHA256 and SHA384
Still, the application is running fine while TRP is enabled.
But, when i checked on online tool sslshopper.com it is showing the broken certificate chain there.
Is it beacuse the certificate is having a combination of SHA256 and SHA384?
Please help to understand this...
------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------
Original Message:
Sent: 07-09-2020 10:31
From: Jason Park
Subject: SSL Certificate
Pankaj,
Make sure that you check prior to loading into your SecureSphere TRP that all parts of the certificate chain are SHA256... i.e. that the intermediates are also SHA256. These should all be fully chained together minus the root, in the correct order, then uploaded to the SS appliance with the associated private key. You can manually check what is applied to the server when TRP is off. If it is public facing, you can also use tools such as the Qualys scanner to check the details of the SSL certificate and that it conforms to industry best practices.
I would recommend that once you apply it to TRP that you also run a rescan with one of the SSL checker tools and ensure that it is applied correctly to SS. You should also see the alerts go down if it is applied with a fully supported chain.
As Chris mentioned the upcoming versions of SS will fix this issue.
------------------------------
Jason Park
County of Los Angeles
CA
Original Message:
Sent: 07-09-2020 07:41
From: Pankaj Chouhan
Subject: SSL Certificate
Hi Christopher,
Thanks for the valuable info.
------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
Original Message:
Sent: 07-08-2020 08:33
From: Christopher Detzel
Subject: SSL Certificate
@Pankaj Chouhan, I spoke to one of our engineers, and he said: The customer should load to the MX an SSL key pair. The signature of the certificate that belongs to the key pair must be hashed by SHA256 or SHA only.
------------------------------
Christopher Detzel
Community Manager
Imperva
Original Message:
Sent: 07-08-2020 01:17
From: Pankaj Chouhan
Subject: SSL Certificate
Hi Christopher,
Thanks for the valuable information.
Can we ask the customer to provide us the SSL certificate that is signed using SHA256 or SHA only?
Will it be a right way to ask?
------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
Original Message:
Sent: 07-07-2020 08:39
From: Christopher Detzel
Subject: SSL Certificate
@Pankaj Chouhan,
Thank you for your question. SHA384 in TLS_RSA_WITH_AES_256_GCM_SHA384 stands for the 'message authentication algorithm' (i.e. for each message sent between the parties) Each certificate is signed and then hashed by 'signature hash algorithm'.
We do support SHA384 for 'message authentication algorithm'.
We do not support SHA384 signature hash algorithm'.
We are going to support SHA384 for both cases in ABR mode (next generation of TRP)
This was also presented as part of the Webinar we hosted (Webinar: WAF Gateway (formerly SecureSphere WAF) – What's New and What's on the Roadmap 2020). Advanced Bridge is planned for Nov this year and Beta is available now, if you want to participate. Just let us know.
------------------------------
Christopher Detzel
Community Manager
Imperva
Original Message:
Sent: 07-07-2020 07:32
From: Pankaj Chouhan
Subject: SSL Certificate
Dear Team,
While working with support team on some cases related to TRP, we came to know that gateway does not support SHA384 signature algorithm. Imperva Gateway only supports SHA256 and SHA .
The workaround is to get new signed certificate for the web server which is signed using SHA256.
Whereas if we check supported ciphers, we can see the following ciphers are supported by Imperva.
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
Please help to understand the difference here.
Also, i want to understand the requirements that i can share with the customer so the customer can purchase and provide us the
appropriate SSL certificate.
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------