1

As there is currently a move away from SHA-1 being used as part of TLS, we're examining moving our SSL certificates, used to protected traffic in transit to/from our webservers, to use SHA-2.

However, I'm having trouble finding information on client support. According to this, Windows supports SHA-2 back to XP SP3, but I haven't been able to find definitive information on iOS, Android, and OS X support. Can someone here provide a link to a source on these?

Josh
  • 131
  • 1
  • 5

2 Answers2

2

In SSL there are two areas where SHA-1 or SHA-256 may be used:

  • in the specific entrails of the protocol itself, for the internal "PRF" (a function used during the handshake) and for protecting the integrity of subsequent data exchanges;
  • as part of the signature over the server's certificate, and its CA certificate, and so on.

SSL 3.0, TLS 1.0 and TLS 1.1 use MD5 and SHA-1, not SHA-256. If you want to phase out SHA-1, then you need to switch to TLS 1.2. From this answer and its comments, you can see that support of TLS 1.2 by browsers is not a given, and is slow to percolate throughout the industry. IE on Windows XP will certainly not support TLS 1.2. In particular, many Android-based devices will use old versions of Android and its browser, and won't be updated soon. Fortunately, you can configure your server to advertise TLS 1.2 support but fall back to previous versions if the client does not support it; this is the normal behaviour of a SSL handshake, and should ensure a smooth transition.

What XP+SP3 supports about SHA-256 is the second point: certificates signed with SHA-256 as underlying hash function. This works. This page from digicert (a commercial CA) argues for SHA-256 support, and by that it means SHA-256 support in certificates; when it claims "browser support" it talks about the certificate validation, not TLS 1.2. According to that page, SHA-256 in certificates seems to work "everywhere". They don't tell anything about Android, but chances that Android is up to SHA-256 support because it has supported SHA-256 internally since day one (it is based on Java, which has known SHA-256 for years).

To sum up: you can use SHA-256 for the certificates; it will work (almost) everywhere. You cannot require TLS 1.2 yet (too many client browsers out there cannot handle it) but you can support it, and decide to prohibit previous versions (those which use SHA-1 internally) at a later date.

Community
  • 1
Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • Thanks for the feedback. When renewing our SSL certificate with our CA, we are being asked if we want an "SHA-1" or "SHA-2" certificate. In reading your answer, I think this means the "signature over the server's certificate" is generated via SHA-2. However, the certificate itself may be used in conjunction with SSL 3.0, TLS 1.0, 1.1, and 1.2. Have I got that right? – Josh Jan 31 '14 at 19:57
  • The list at digicert is helpful, but it doesn't outline mobile device support. For Safari, they explicitly mention a desktop OS requirement. For Chrome, perhaps both desktop and mobile versions 26+ support SHA-2 signed certificates, but I'm really looking for something that states this clearly. – Josh Jan 31 '14 at 20:10
  • 1
    You get it correctly for the certificate: what happens in the certificates stays in the certificates; thus, a certificate signed with SHA-256 as hash function can be used by a SSL 3.0 server. _Theoretically_, SSL client and server may negotiate the hash functions used in certificates, but in practice the server uses whatever certificate it was configured with, and the client does not mind. – Tom Leek Jan 31 '14 at 21:18
0

Android support of cipher suites (including support for SHA2) can be found here: https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

Eakraly
  • 1