Re: Expressway application vulnerability: SSL certificate is supporting TLS 1.0 and SHA1

ccg-collab1 · ‎10-23-2017

Hi All,

We have expressway edge and core and their current version is 8.8. Security team told us that they receive notification about the SSL certificate is supporting TLS 1.0 and SHA1 which has a bad rating for vulnerability. May we know on how can we address it?

I tried searching the latest version of expressway which is 8.10.2 and found below information.

From version 8.8 release note, i have seen this information below.

Appreciate if you can help us on how to resolve or address this issue of vulnerability regarding ssl certificate. Can we disable TLS 1.0 and SHA1 or do we need to upgrade the version of expressway to 8.10.2?

Thank you.

Patrick Sparkman · ‎10-23-2017

I recommend you upgrade to the most recent software version if you can, take advantage of new features and security patches. If you upgrade to X8.10 and later, you can set the minimum TLS version to 1.2. The SHA level for the certificate is set by the CA that signed the certificate, you should request a new certificate if your current one uses SHA1 which isn't supported anymore.

ccg-collab1 · ‎10-23-2017

Hi Patrick,

Thank you so much for the recommendation. Am I correct to say that we can directly upgrade from X8.8 to X8.10.2?

Patrick Sparkman · ‎10-23-2017

Yes, you can upgrade directly, and no release key isn't required.

ccg-collab1 · ‎10-23-2017

Great. Thank you so much. We will try to upgrade the expressway and update this discussion once done.