“The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service. Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.” "The following known CA certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. Subject : C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA Signature Algorithm : SHA-1 With RSA Encryption
Was the site working with SSL prior to adding it to Cloudflare?
I am using the edge certificate provided in Cloudflare, issued via Google Trust Service. Is there anyway to configure the Root CA to use SHA256 as the hashing algorithm?
This is normal, as you can see from the test result there are multiple certificate paths. Path #1 uses more secure signing but requires browsers to have more recent root certificates. Path #2 supports older devices/OSes that don’t have Google’s CA root certificate so it is cross-signed with an older one for backward compatibility (Globalsign’s root R1 is from 1999).
Any customisation of Cloudflare’s SSL certificate issuing requires Advanced Certificate Manager.
As the test result says, it’s not something to worry about. My Cloudflare sites using GTS say the same and all score A+ on SSLLabs tests.
If you already have ACM, use Lets Encrypt as the CA. Since its cross-signing with Identrust expired, clients need LE’s ISRG Root X1 (from 2015) certificate. Older devices without the LE root cert (primarily Android 7 and earlier) won’t be able to access your site if you do this.
[add]
Or, if you have a Business or Enterprise plan, contact a CA to buy a certificate as per your requirements and then you can use that certificate on the Cloudflare edge.
