SHA-1 Deprecation in January 2017

[jimbojimbo]

SHA-1 Certificates are set to be deprecated by every major manufacturer in January 2017 based on the requirements set forth in NIST SP800-131Ar1 and PCI-DSS v3.2. NOTE: TLS 1.2 is not considered mandatory until 2018 however a mitigation strategy is required. Microsoft, Google, Apple, and Mozilla have all committed to deleting SHA-1 support in their associated browser applications.

Many Avaya products defaulted to utilize SHA-1 certificates and may present challenges in function or access after the first updates of 2017.

I suggest you verify the certificate encryption protocol on all of your servers and upgrade your certificates to SHA-2 soon. Although Avaya has provided clear instruction on upgrading of the Secure Access Link servers they have not presented guidance on most of their other products other than to say don't use the default certificates.

 

[wpetilli]

Looks like my System Manager and SAL GW web access is all using SHA-2, but when I go to the URL of the CDOM of one of my CM's I see it's using SHA-1. Whatever these have are whatever default came with the system. The expiration dates on these are way out in 2026. Do I need to act on these?

 

[kyle555]

Not really. They mean it in terms of the certificates SAL gateways use to get to Avaya over the internet.
Whenever you patch your system platform, it'll use whatever's good with that version, but it isn't related to How Avaya gets to you via SAL.

As time moves along, you might need to tweak your browser to let you in - like with the diffie hellman deprecated thing. But if you use something like Aura web conferencing, you'd want something SHA2 compliant to hand out to users coming in.

But like jimbo said, they don't document it very well across every product, so to get CM or SMGR to offer up a different certificate is a pain and unclear, but not all that necessary. In any case, for us to support older CMs, we'll all need to know the browser hacks to get in to whatever deprecated https a CM release 3,4 or 5 would use anyway

 

[jimbojimbo]

Sorry kyle555 but I have to disagree. Once the browsers/PCs are updated late this year and early next year they should prevent you from navigating to any website using SHA-1 (Microsoft committed to February 2017). So unless you want to maintain an old un-patched PC on your network specifically to access systems with SHA-1 certificates I would suggest you update your certificate to SHA-2. I typically use the System Manager CA to generate all certificates on the Avaya applications.

I believe this is the Y2K of Internet Security and a billion plus devices globally will have issues. We had our first issue after a customer patched a Windows system in August which killed an application due to SHA-1 certificate issues.

All of the browser vendors have posted relevant information and commitment to deprecate SHA-1 by January 2017.

See the following Microsoft SHA-1 deprecation roadmap update.

https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/#5bylw00QkQoo1Wme.97

 

[wpetilli]

But if I build a brand new cm6.3 it installs with its default cert.. if the browsers (chrome,IE,FF) are all going to block the web interfaces to CM/SP how does Avaya not come up with some patch to remedy that? They plastered the SAL GW changes for a year, but nothing about these other apps.

 

[kyle555]

I'm trying to read as much as I can on it, and while browsers will deprecate it, I have to figure there will be a way to still access sites that use them - especially where they're not for a secure web but for accessing an old management interface. But yeah, it might be a virtualbox with XP on it eventually to get in to the old stuff.