EOL of SHA1 Encryption and Windows 2003 NOTE: If you’re running modus on Windows 2008 or Windows 2012, this does not apply to you.
The SHA family of hashing algorithms was developed by the National Institute of Standards and Technology (NIST) and is used by the majority of SSL certificates. Presently, the most common of these hashing algorithms is SHA1 which was adopted by certificate authorities as the successor of MD5 algorithm because it signified a major advancement in cryptographic security. Over the years computing power has strengthened and SHA1 level of encryption has been considered as not being sufficiently secure. As a result there has been a major advancement to transition from SHA1 to the stronger SHA2 algorithm. The recent announcement from Microsoft and Google about deprecating support for SHA1 in browsers has accelerated this transition. There are, however, a few systems that continue to operate using SHA1. This includes most servers running Windows 2003 (not R2). Users who continue to operate using SHA1-based security certificates can expect to receive security warnings from web browsers by the end of this month (October).
As of January 1st 2017, support for SHA1 will completely come to an end and it is highly likely that updates will be sent out to all major platforms to start erroring out on SHA1 requests.
“Microsoft’s SHA-1 deprecation plan differs in the activation time and browser behavior. Microsoft’s security advisory on “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program” informed us that Windows will cease accepting SHA-1 SSL certificates on January 1, 2017. To continue to work with Microsoft platforms, all SHA-1 SSL certificates issued before or after this announcement must be replaced with a SHA-2 equivalent by January 1, 2017. The SHA-1 deprecation plans also impact SHA-1 intermediate certificates; SHA-2 end-entity certificates must be chained to SHA-2 intermediate certificates to avoid the adverse browser behaviors described above. SHA-1 root certificates are not impacted.” -- From Symantec’s website.
The problem with this is that an unpatched Vanilla Windows 2003 server does not support SHA2 natively. Even a patched Windows 2003 does not support SHA1. To be able to support SHA2 you need to be running Windows 2003 R2 SP2 fully patched.
“Windows users do not need to do anything in response to this new technical requirement – Windows XP Service Pack 3 supports SHA2 SSL certificates, and Windows Server 2003 Service Pack 2 or later add SHA2 functionality to SSL certificate by application of hotfixes (KB968730 and KB938397).”
In other words, if you’re running Windows 2003R2 SP2 or better with the related hotfixes, you should be fine. However you should verify your current certificates to confirm if they are encoded using SHA1 versus SHA2.
If you’re not patched, you really should start updating your Windows 2003R2 with the latest service packs & security fixes. According to GlobalSign, to support SHA2 (SHA 256) with Windows 2003, you need Windows 2003 R2 SP2 + MS13-095 (KB2868626).
KB2868626 should already be installed if your server is going through the normal windows updates process.
1 - What does all of this mean as a Vircom customer?
For modus users running Windows 2003 "Vanilla":
Any version of modusGate/modusMail on Windows 2003 as of January 01, 2017 will no longer receive Anti-Virus and Anti-Apam definitions. Which means that your email servers and infrastructure will be exposed to malware threats.
It is strongly advised that you migrate off of Windows 2003 as soon as possible. The operating system itself is not supported by Microsoft at this point and Vircom has discontinued support for Windows 2003.
2 - Windows 2003 R2 SP2 (fully patched)
Clients using Windows 2003 R2 SP2 with all the updates will not be affected by these changes. Our testing indicates that modus has no issues in getting updates from SHA2-based update servers. However, upgrading to the latest version of modusGate/modusMail (6.2 and higher) will no longer be possible on a Windows 2003 Server
Windows 2003 is still EOL by Microsoft and we strongly recommned that you migrate to Windows server 2008 or 2012.
3 - Need help to migrate modusGate/modusMail?
Vircom can assist you with your migration. We have a vast amount of experience with this and if you do not wish to move to a new server, we can also move you to our cloud spam filtering service as an alternative (for those running modusGate).
Please contact our Professional Services team to schedule a time and cost for your migration. We've performed hundreds of migrations professionally so that the process is simple and painless for you.
Please do not hesitate to contact us if you have any questions at +1.888.484.7266.