sha1 certitifcate

[Hyper200]

Azure flexiable server is deployed with a sha1 certitifcate for TLS connectivtiy.

https://learn.microsoft.com/en-us/answers/questions/1199915/certificates-do-not-conform-to-algorithm

sha1 certitifcates has been unsupported and depreaced since 2021
(https://learn.microsoft.com/en-us/lifecycle/announcements/sha-1-signed-content-retired)

Can this be upgraded to sha256?

[pjanuario]

The usage of this SHA1 certificates causes several issues on java codebases (such as Keycloak, Debezium).

The problem is caused by Oracle disabling hash algorithms which are no longer considered to be secure. Take a look at JRE_HOME/lib/security/java.security It contains the following properties:

• jdk.certpath.disabledAlgorithms
• jdk.tls.disabledAlgorithms

[wirowka]

@msftgits - can we have an update on this issue?

[javafrog]

This is becoming an issue for us as well!
We have to manually patch Keycloak to support an insecure algorithm to be able to work with Azure Database for PostgreSQL flexible server.

Please do address this security issue.

[Erikvv]

Theres a notification in Azure Portal that they're changing the root CA this month.

[TAC911]

Is there a specific date when the change will be completed?

[marcinkwapiszcomarch]

Hi, the problem is still there, is there any way to force the rotation of the certificate? Or when all instances will have new certificate?

[oldboys92]

indeed this issue is still existing after years of deprecation by the JAVA community.

[fhoffm]

Is there any update on this?
We are facing the issue with a Azure flexible server mysql instance.
Spring Boot services may connect but Keycloak is only working if the cypher is reduced to SHA1.

[Pilleo]

The same issue with MySQL

[riccardopulcini]

Any news?

[TideSupreme]

We had this issue for the past year and applied the "problematic" workaround to fix it. We've just retested and it seems this is now miraculously fixed. Microsoft have probably updated the certificates.