Check your apps: SSL SHA-256 certificate rollout in progress

12 views
Skip to first unread message

Mark McDonald

unread,
Jul 1, 2015, 1:44:26 AM7/1/15
to google-p...@googlegroups.com, google-maps...@googlegroups.com, google-maps-ap...@googlegroups.com

Hi,


We’d like to inform you of a Google infrastructure change that may impact your applications, unless you upgrade your SSL client to one that supports SHA-256. If you do not use the Google Maps APIs over SSL (HTTPS), you can stop reading now¹.


As announced in September 2014 on the Google Online Security blog, we are progressively sunsetting the use of the SHA-1 signing algorithm in the SSL certificates used by Google servers.

This update is currently in progress: some Google servers have moved to 100% SHA-256. It is expected that Google servers will serve a majority of SHA-256 certificates in the coming weeks.


Your applications may be impacted by this change if your HTTPS clients do not support SHA-256.


Get ready for the change!

You can check that your clients are ready for SHA-256 by making an HTTPS call, from your application’s networking stack, to:

https://cert-test.sandbox.google.com

This domain only answers with SHA-256 certificates.


You can anticipate issues by checking online which SSL clients support SHA-256.


If you are having issues…

If your client does not support SHA-256, you may receive errors like “corrupt SSL certificate”, “Unknown SSL error”. In that case, you can confirm that you are hitting a SHA-256 server by:

  • getting the IP that you are connecting to (e.g. with a ping, or DNS resolution, from your server)

  • issuing an openssl command like:

$ openssl s_client -connect [IP that you are connecting to]:443 < /dev/null 2>/dev/null | openssl x509 -text | grep "Signature Algorithm"


Expected result:

  • If a SHA-256 certificate is served:
    Signature Algorithm: sha256WithRSAEncryption

  • If a SHA-1 certificate is served:
    Signature Algorithm: sha1WithRSAEncryption


If you think that SHA-256 certificates are causing the issue, please contact your HTTPS client provider and upgrade to a version that supports SHA-256.


If you have any questions related to this change, please take a look at the support channels available.


Thanks,

The Google Maps API support team


¹ If you aren't using HTTPS to connect to the Google web service APIs, you should review this video to understand why it is important, and review how to configure HTTPS correctly





Reply all
Reply to author
Forward
0 new messages