SSL/TLS – SHA-1 deprecation and SHA-256 Support

Posted by on Jul 27, 2015 in Support Blog

Topic Keywords: ,

This post is for the information of any customers using SSL/TLS server functionality in NowSMS.

The industry has deprecated the use of SHA-1 signed server certificates, in favor of a more secure algorithm known as SHA-256. SHA is a popular hashing algorithm used by the majority of SSL certificates. As computing power has increased the feasibility of breaking the SHA-1 hash has increased. Plans within the industry have been made to transition from SHA-1 to SHA-256. However with recent announcements from Microsoft and Google about depreciating support for SHA-1 in browsers this transition has been accelerated.

For more information on this issue, please refer to the following links:

Some older web browsers do not support SHA-256 and will only support SHA-1. A list that shows which browsers and operating systems support SHA-256 can be found here: https://support.servertastic.com/sha2-sha256-compatibility/  Infer that versions older than those in that list will not support SHA-256.  (Windows XP users who have not upgraded to SP3 are the majority of those without support.)

Which SHA algorithm is used is decided by the certificate signing request (CSR). An update for NowSMS to generate SHA-256 CSR can be downloaded at http://www.nowsms.com/download/smsssl-sha256.zip

This update is only compatible with 2014 and 2015 versions of NowSMS.

To install the update, stop the NowSMS services and exit NowSMS.

  1. Replace the existing SMSSSL.DLL in the Program Files\NowSMS directory with this version.
  2. If you have not previously requested a signed certificate from a certificate authority, simply go to the SSL/TLS page of the NowSMS configuration, and select “Generate Server Certificate”.
  3. Unfortunately, the change to 2048 bit key requirements will cause problems for renewals for customers that already have an SSL certificate signed by a certificate authority (CA).
  4. When your renewal time comes up, many CAs will not renew your certificate until you switch to a SHA-256 signed CSR.
  5. However, if you generate a new server certificate request with NowSMS, this forces the existing certificate to be immediately invalidated, which may cause problems for existing clients during the certificate renewal process. (This problem is not specific to NowSMS … many web server administrators are facing similar problems.)
    If you face this renewal issue with NowSMS, follow this procedure:
  6. Locate and backup the following NowSMS files (in either Program Files\NowSMS  or ProgramData\NowSMS):
    SSL.CRT
    SSL.CSR
    SSL.CA
    SSL.INI
    SSL.KEY
  7. On the “SSL/TLS” page of NowSMS, select the option to “Generate Server Certificate”.
  8. You will be warned that doing this will invalidate your existing certificate. If you have backed up the files that are mentioned above, select “Yes” to continue.
  9. After the new certificate signing request has been generated, copy the new versions of SSL.CRT, SSL.CSR, SSL.INI and SSL.KEY to a different location for backup. (Note: There will not be an SSL.CA file as this file will not exist until you get your signed certificate back from the CA.)
  10. Put the old backup copies of these files, including SSL.CA, back in the appropriate NowSMS directory.
    Use the new SSL.CSR to request a signed certificate from your CA. When you get the signed certificate back from the CA, save it as SSL.CA.
  11. Copy the new version of these files, including SSL.CA to the appropriate NowSMS directory and restart the NowSMS services.

For comments and further discussion, please click here to visit the NowSMS Technical Forums (Discussion Board)...