Use the TCPIP OPTION command to enable or disable the SHA-1 Hash Algorithm.
The National Institute of Standards and Technology (NIST) recommends that, beginning January 1, 2017, certificates generated with older digest algorithms such as SHA-1 are no longer used. However, some legacy systems might require SHA-1 support. The SHA1 system-level TCP/IP option enables the SHA-1 hash algorithm.
| Note: | Use the NW TCPIP STATUS SSL inquiry to ensure that SSL encryption is enabled and to view the list of supported SSL versions and ciphers. |
To enable the SHA-1 hash algorithm, enter the following:
NW TCPIP OPT + SHA1
To disable the SHA-1 hash algorithm, enter the following:
NW TCPIP OPT – SHA1
The default state is disabled.
When the SHA1 option is disabled and a SHA-1 signed certificate is used, the following security error message is displayed:
The system is trying to use a SHA-1 signed certificate when SHA-1 is disabled on the system. Only SHA-256 signed certificates are valid. Please check the certificate being used for the connection before continuing. SHA1 may be enabled with the ODT NW TCPIP OPT + SHA1 although this is not recommended.
To verify the certificate properties, examine the log for the certificate information. For example:
20:16:50.3136 2619 TCPIP SSL Certificate accepted from 192.62.159.97, SUBJECT= C=US, S=PA, L=MAVLERN, O=UNISYS, OU=”MCAPI+S+SOCKETS+SOCKETSERVER”, CN=ustrmcp0097.tr.unisys.com, E=xyz@unisys.com, ISSUER= CN+ MCPSECURITYCA-SHA256, Keylength= 2048 bits, IntendedKeyUsage=0, Digest Algorithm = SHA-256, Signature Algorithm = RSA
