Forum Discussion

YPGOWDA's avatar
YPGOWDA
Icon for Microsoft rankMicrosoft
Jan 16, 2025

X.509 Certificate SHA1 Signature Collision Vulnerability

Issue:

X.509 Certificate SHA1 Signature Collision Vulnerability

 Cause:

  • Whenever you are not using a certificate to connect to SQL Server, it will generate a self-signed one. That is the default behaviour of SQL Server.
  • For SQL Server versions lower than SQL 2017 version, this self-signed certificate will be created with SHA1 algorithm.

 Resolution:

  • Certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allows an attacker to access the path.
                            ○ Hash and Signature Algorithms - Win32 apps | Microsoft Docs-Hash and Signature Algorithms - Win32 apps | Microsoft Learn
                • Vulnerability Remediation
                SSL Certificate Signed Using Weak Hashing Algorithm:         Need to migrate Certificates hashing algorithm from SHA1 to SHA256:
                The following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak.         https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/ba-p/400338
                                        Subject             : CN=SSL_Self_Signed_Fallback
                                        Signature Algorithm : SHA-1 With RSA Encryption      
                                       
                                        Raw PEM certificate : -----END CERTIFICATE-----          

We share 3 options to mitigate this: 

1. Upgrade SQL Server up to 2017 or latest.

Changes to hashing algorithm for self-signed certificate in SQL Server 2017 - Microsoft Tech Community

2. Use a custom stronger certificate issued by your RootCA or 3rd party CA and configure SQL Server to use it.

Certificate Management (SQL Server Configuration Manager) - SQL Server | Microsoft Docs

3. Ignore the alert.

If you prefer to keep the current version and do not issue a custom certificate, you can ignore the error message from the vulnerability tool. It is your decision to encrypt your connection data or not. If you decide not to encrypt you can ignore it. You can read more about that here: 0770 SQL Server Certificates · microsoft/CSS_SQL_Networking_Tools Wiki · GitHub “Without encryption, logins, passwords and other sensitive information is transferred in cleartext and can be vulnerable for man in the middle attacks”.

No RepliesBe the first to reply

Resources