The other day we did some routine updates on expiring SSL certificates. Today we got a few reports from SMTP AUTH customers about devices (like office multifunction copiers, UPS management cards, etc.) failing to communicate with the SMTP AUTH service. The problem turned out to be the updated SHA256 certificate. Those devices simply can’t work with an SHA256 cert.
A while back it was determined that SHA1 is “weak” and could become exploitable, although at the time we’re writing this no successful real-world attacks have been discovered. As such certificate authorities now only issue SHA256 certificates. Unfortunately for older devices and embedded devices like the aforementioned offfice copier (and by copier we are referring to big floor standing ones like a Ricoh or Xerox, not some cheap inkjet printer-scanner-copier) they’re different than installing an OS update on your computer. Things like that usually only get replaced as they come off-lease.
We understand that people aren’t just going to trash their devices for SHA265 support so we’ve decided to add an alternate SHA1 access to the SMTP AUTH server. If your device can’t connect to smtpauth.rollernet.us using SSL/TLS try using smtpauth-sha1.rollernet.us instead. We believe this is a better option than disabling SSL/TLS: irrespective of how “weak” SHA1 could be this point, our opinion is that it’s still better than plaintext at this time.
There are some encryption types that are practically plaintext – like WEP or original DES – but SHA1 isn’t that bad (yet, possibly, maybe someday, maybe never).