2015/05/13 2:00 PM PST - Updated 2015/09/29
Certificate Authorities (CAs) and browser manufacturers such as Google and Microsoft are retiring support for SHA1 as a hashing algorithm used to sign SSL/TLS certificates (for more information, see the CA/Browser Forum post). Because of this, AWS will also be retiring use of SHA1 for digital signatures in SSL/TLS certificates by September 30, 2015 and will be upgrading to the SHA256 hash algorithm for SSL/TLS. This means that customers accessing AWS webpages via HTTPS (for example, the AWS console, customer portal, or homepage) or accessing AWS API endpoints, whether through browsers or programmatically, will need to make sure they’re using the latest certificate bundles on their client machines.
Updating Your Client Browser
You can update the certificate bundle in your browser simply by updating your browser. Instructions for the most common browsers can be found on the browsers’ websites: Chrome, FireFox, and Safari. Certificate bundles for Internet Explorer are managed by the Windows OS, so ensure that you update the OS as well.
You can see a list of common browsers and the versions that support SHA2 (the family of hash functions that includes SHA256) here.
Many customers have already updated their browsers and should have no problem accessing AWS endpoints after this change is made. Customers who have not updated their browsers should do so as soon as possible. Customers who are not sure if they are using a browser with the latest certificates can navigate to a test endpoint that AWS has set up: https://www.amazonsha256.com. If your browser supports SHA256, you should see a message that the negotiation was successful.
Testing Your Programming Language
If you access AWS programmatically, you can download a zip file containing test scripts for supported languages and execute it with the instructions below. If no errors are displayed, your software is compatible with our new certificates. Otherwise, you will need to update your certificate bundles. For other languages, you will need to write a test that performs an HTTPS GET to https://www.amazonsha256.com and validate that the TLS handshake succeeds.
Download the zip file containing the test scripts here.
After downloading the zip file and extracting the Java script, execute it by running:
$ javac ShaTest.java
$ java ShaTest
After downloading the zip file and extracting the Ruby script, execute it by running:
$ ruby shaTest.rb
After downloading the zip file and extracting the PHP script, download the latest phar release: https://github.com/aws/aws-sdk-php/releases/download/2.8.1/aws.phar and save it in the same directory as shaTest.php
Execute the PHP script by running:
$ php shaTest.php
After downloading the zip file and extracting the script, execute it by running:
$ node shaTest.js
After downloading the zip file and extracting the Python script, execute it by running:
$ python shaTest.py
.NET customers on Windows 2003 or later are not impacted as long as the latest updates from Windows Update are installed.