SHA-2 based digital certificates do not work. (28 Comments)

Issue report by Nick Lowe

Product

FileMaker Server

Version

13v4

Operating system version

Windows Server 2012 R2

Description of the issue

SHA-1 has been deprecated from its use in digital certificates by Microsoft, Google and Mozilla who collectively develop and maintain the majority of Web browsers that are in use worldwide.

This is because they believe it to be insecure. Going forward, CAs will issue SHA-2 based certificates by default and will soon no longer issue SHA-1 based certificates at all.

SHA-2 is the replacement and FileMaker needs to support this to interoperate with the modern secure Web.

For background information on why this is needed and why it must be treated as a bug and blocking issue, see:

https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

http://googleonlinesecurity.blogspot.sg/2014/09/gradually-sunsetting-sha-1.html

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates

Steps to reproduce the problem

Attempt to install a SHA-2 (SHA-256) based certificate in to FileMaker 13 from one of the major CAs.

Expected result

It should be possible to install and use a SHA-2 based certificate in to FileMaker from one of the major CAs.

Actual result

It is not possible to install and use a SHA-2 based certificate in to FileMaker from one of the major CAs.