PCI Compliance Failure - Insecure Certificate Signature Algorithm


#1

Hello

My systems are regularly scanned by Trustwave for PCI compliance and they have today reported that they will no longer accept the SHA1 certificate signing algorithm.

Full details of the error are as follows:

Subject: /O=captive-portal.peplink.com/OU=Domain Control Validated/CN=captive-portal.peplink.com
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
Certificate Chain Depth: 0
Certificate Signature Alg: sha1WithRSAEncryption

I’m not sure what the devices are using this SSL certificate for, but am I able to replace the certificate with one of my own? Do you have any plans to upgrade the default certificate to a SHA256 signed version?

Regards

Ashley


#2

Hi Ashley,

May I know which model you used to scan? We do have fixed on this.


#3

Thanks for getting back to me.

The issue was seen with both our Peplink 380 and our Peplink 210

Regards

Ashley


#4

Hello, I’m getting this on my Balance One as well.


#5

Hi Ashley,

Please upgrade to firmware below:-

B380 Hw1-5
http://download.peplink.com/firmware/plb700/fw-b305_380_580_710_1350-6.2.3s012-build3398.bin

B380 Hw6
http://download.peplink.com/firmware/plb2500/fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-6.2.3s012-build1547.bin

B210 Hw2-3
http://download.peplink.com/firmware/plb30/fw-b20_30-6.2.3s012-build3064.bin

B210 Hw4
http://download.peplink.com/firmware/plb1/fw-b1_210hw4_310hw4_hd2mini_hd4-6.2.3s012-build2122.bin


#6

Hi,

Please upgrade to firmware below:-
http://download.peplink.com/firmware/plb1/fw-b1_210hw4_310hw4_hd2mini_hd4-6.2.3s012-build2122.bin


#7

Thank you.


#8

Thanks for the reply

Could you please re-post the link to the new firmware for the B210 Hw2-3 as I believe the link above is incorrect?

Also, do I need to change any settings once I install the new firmware of should it automatically move over to the
SHA256 certificate?

Thanks

Ashley


#9

Hi Ashley,

The download link for B210 Hw2-3 should be working fine now. New firmware will use SHA256 automatically.


#10

Hello

The link in your post from 10/29 above downloads the following file:

fw-b20_30-6.2.3s012-build3064.bin

When I uploaded that file to my B210, it didn’t accept it as valid.

Ashley


#11

Hi Ashley,

Sorry for confusing. Here you go.

http://download.peplink.com/firmware/plb310/fw-b210_310_hw2_hw3-6.2.3s012-build3064.bin


#12

Hello

Thanks for the new link. I have now upgraded both Peplinks and they are running the new firmware as follows:

Peplink Balance 210: 6.2.3s012 build 3064
Peplink Balance 380: 6.2.3s012 build 3398

Both are running with the Latest (Firmware 6.2+) option set in SpeedFusion > PepVPN Settings for backwards compatibility.

Unfortunately, my systems are still failing the Trustwave PCI scan with the following error:

Insecure Certificate Algorithm in Use

Subject: /O=captive-portal.peplink.com/OU=Domain Control Validated/CN=captive-portal.peplink.com
Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
Certificate Chain Depth: 0
Certificate Signing Algorithm: sha1WithRSAEncryption

i.e. the same error as before

Ashley


#13

Hello

Is there any update on this issue?

Thanks

Ashley


#14

Hi Ashley,

Sorry for the confusing. We will support new cert. signed with SHA256 starting from 6.3.0. v6.3.0RC to be available by next week.


#15

OK - many thanks

Ashley


#16

Any update?


#17

Hi,

You can download the 6.3.0 RC firmware by using the following URL:

Thank You
Regards,
Sit Loong