Papertrail

The revolution will be verbosely {,b}logged

April 14: New SHA-2 TLS certificate for log destinations

Posted by @troyd on

On Thursday, April 14, 2016, Papertrail will deploy a new SHA-2 (SHA-256) TLS/SSL certificate for its syslog destinations, replacing the current SHA-1 certificate.

Update 2016-04-25

On April 14, Papertrail deployed a new SHA-2 certificate, discovered that older versions of remote_syslog2 (0.13 and prior) did not accept the certificate, and reverted to the prior SHA-1 certificate.

Part of our job is to be our customers’ eyes and ears for changes like this. To that end, Papertrail will:

  • present the new SHA-2 certificate for about 6 hours on April 27, 2016
  • log all failed connection attempts due to TLS negotiation failures
  • revert to the existing SHA-1 certificate
  • email affected customers

The certificate will be deployed permanently on ​*Wednesday, May 4​*, 2016.

If we can answer any questions or help, let us know.

Update 2016-04-14

During the migration, we were reminded that older versions of remote_syslog2 pre v0.14 don’t support SHA-2. Based on this new information, we are reverting the TLS certificate and will post a revised deployment plan next week.

Impact

For nearly all senders and all common log senders (including remote_syslog2 and rsyslog), this will be a non-event. OpenSSL has supported SHA-2 since 0.9.7m and enabled SHA-2 by default beginning with 0.9.8l (released on 2009-11-05).

The only senders which Papertrail knows do not accept SHA-2 (SHA-256) certificates are those running:

Windows 8, 7, Vista, Server 2012, and Server 2008 are not affected.

Why is this necessary?

The Wikipedia entry for SHA-2 explains the reason for this change:

Although (as of 2015) no example of a SHA-1 collision has been published yet, the security margin left by SHA-1 is weaker than intended, and its use is therefore no longer recommended for applications that depend on collision resistance, such as digital signatures.

Papertrail’s Web site already serves a SHA-2 certificate. This change only affects Papertrail’s syslog endpoints.

Questions

If we can help test an old device or otherwise save you time, we’re at your service: support@papertrailapp.com.