With the release of Carbon Black EDR version 7.8.0, Carbon Black EDR recommends using a system-provided FIPS-compliant OpenSSL version of at least 1.1.1 together with OpenResty built with Nginx version 1.21.4 on EL 8 systems.

Note: Some certificates might be incompatible with new OpenSSL versions.
Table 1. Compatibility Criteria
Certificate Purpose To state their usage, certificates must use Key Usage and Extended Key Usage (EKU) extensions.
Certificate Signing Algorithms
  • SHA-256 (Secure Hash Algorithm 256-bit)
  • SHA-384 (Secure Hash Algorithm 384-bit)
  • SHA-512 (Secure Hash Algorithm 512-bit)
Certificate Asymmetric Encryption Algorithm RSA with a minimum key size of 2048 bits

OpenSSL 1.1.1 does not reject certificates signed by the SHA-1 algorithm, but the use of SHA-1-signed certificates is less secure than higher-bit hash algorithms.

The primary security issues associated with SHA-1 are as follows:

  • Collision Attacks: SHA-1 is vulnerable to collision attacks, where two different inputs can produce the same hash value. This weakness allows an attacker to create a fraudulent certificate that has the same hash as a legitimate certificate, leading to the possibility of impersonation or man-in-the-middle attacks.
  • Weakening of RSA Security: SHA-1 is used in conjunction with the RSA encryption algorithm for signing certificates. The vulnerability of SHA-1 affects the overall security of the RSA signature scheme, potentially weakening its resistance against attacks.
  • Industry Deprecation: Because of security concerns, major industry bodies and browser vendors have deprecated the use of SHA-1-signed certificates. Modern web browsers and operating systems no longer consider certificates signed with SHA-1 as secure, and can display warnings or errors when encountering such certificates.
  • Compliance Requirements: Compliance frameworks and security standards such as the Payment Card Industry Data Security Standard (PCI DSS) and the National Institute of Standards and Technology (NIST) guidelines explicitly discourage or prohibit the use of SHA-1-signed certificates.