On Thursday, April 14, 2016, Papertrail will deploy a new SHA-2 (SHA-256) TLS/SSL certificate for its syslog destinations, replacing the current SHA-1 certificate.
On April 14, Papertrail deployed a new SHA-2 certificate, discovered that older versions of remote_syslog2 (0.13 and prior) did not accept the certificate, and reverted to the prior SHA-1 certificate.
Part of our job is to be our customers’ eyes and ears for changes like this. To that end, Papertrail will:
- present the new SHA-2 certificate for about 6 hours on April 27, 2016
- log all failed connection attempts due to TLS negotiation failures
- revert to the existing SHA-1 certificate
- email affected customers
The certificate will be deployed permanently on *Wednesday, May 4*, 2016.
If we can answer any questions or help, let us know.
During the migration, we were reminded that older versions of remote_syslog2 pre v0.14 don’t support SHA-2. Based on this new information, we are reverting the TLS certificate and will post a revised deployment plan next week.
For nearly all senders and all common log senders (including remote_syslog2 and rsyslog), this will be a non-event. OpenSSL has supported SHA-2 since 0.9.7m and enabled SHA-2 by default beginning with 0.9.8l (released on 2009-11-05).
The only senders which Papertrail knows do not accept SHA-2 (SHA-256) certificates are those running:
Windows 8, 7, Vista, Server 2012, and Server 2008 are not affected.
Why is this necessary?
The Wikipedia entry for SHA-2 explains the reason for this change:
Although (as of 2015) no example of a SHA-1 collision has been published yet, the security margin left by SHA-1 is weaker than intended, and its use is therefore no longer recommended for applications that depend on collision resistance, such as digital signatures.
Papertrail’s Web site already serves a SHA-2 certificate. This change only affects Papertrail’s syslog endpoints.
If we can help test an old device or otherwise save you time, we’re at your service: firstname.lastname@example.org.