On Thu, Nov 01, 2018 at 09:52:12PM +0100, Sebastian Andrzej Siewior wrote: > |$ openssl x509 -in 912604.cert -text | grep Signature > | Signature Algorithm: sha1WithRSAEncryption > | Signature Algorithm: sha1WithRSAEncryption > > The point is that your server certificate is signed with SHA1 while > the minimum is SHA256. Please note that all publicly issued certificates > are signed with SHA256 these days. > > I would suggest a *note* in burp to notify users of burp which created > self-signed certificates with pre-Buster machines that they might need > to recreate their certificate if it is sigend with SHA1. Thus > resssigning to burp. > I just tried the Buster version of burp and myClient.crt, myServer.crt > and CA_myCA.crt is signed with SHA256. I would assume that the script > does not set the signing method and the default is used which changed.
As far as I know, the default in stretch should also use sha256, most likely those certificates are older. Kurt
