L
LifterCoder
Guest
I'm aware that SHA-1 server certificates that chain to Root CA certificates within Microsoft's Trusted Programme are unsupported by Edge and IE11 on Windows 10, as of a couple of years ago.
We have an IIS web farm hosting our ASP.NET systems. The server uses a root certificate that, while was generated using SHA-1, is not part of the Trusted Programme and therefore has no problem when being used to connect to it securely; the problem is that some of our applications require smartcard authentication, which as soon as they're prompted to enter the PIN, Edge/IE11 kills the connection.
It's as if Edge/IE11 won't allow the transmission of SHA-1 based certificates.
One strange caveat to this is that if I force IE11 to use only deprecated TLS versions (i.e. TLS 1.0) then it works, in that the smartcard certificate is transmitted and used to authenticate. If I force IE11 to use TLS 1.2 then it fails.
Using certutil I'm able to determine that the smartcard client certificate was generated using SHA-1 and is also signed by the Root CA certificate used on the server.
IE11 works perfectly fine from Windows 7, so I assume the security policy only affects W10 versions.
Did I miss an announcement that this would also affect client certificates? The original announcement made it clear this would not be the case (taken from a Microsoft blog)
How will SHA-1 client authentication certificates be impacted?
The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.
Continue reading...
We have an IIS web farm hosting our ASP.NET systems. The server uses a root certificate that, while was generated using SHA-1, is not part of the Trusted Programme and therefore has no problem when being used to connect to it securely; the problem is that some of our applications require smartcard authentication, which as soon as they're prompted to enter the PIN, Edge/IE11 kills the connection.
It's as if Edge/IE11 won't allow the transmission of SHA-1 based certificates.
One strange caveat to this is that if I force IE11 to use only deprecated TLS versions (i.e. TLS 1.0) then it works, in that the smartcard certificate is transmitted and used to authenticate. If I force IE11 to use TLS 1.2 then it fails.
Using certutil I'm able to determine that the smartcard client certificate was generated using SHA-1 and is also signed by the Root CA certificate used on the server.
IE11 works perfectly fine from Windows 7, so I assume the security policy only affects W10 versions.
Did I miss an announcement that this would also affect client certificates? The original announcement made it clear this would not be the case (taken from a Microsoft blog)
How will SHA-1 client authentication certificates be impacted?
The mid-2017 update will not prevent a client using a SHA-1 signed certificate from being used in client authentication.
Continue reading...