SHA–1 Deprecation on CDN

As a means to improve internet security, SSL Certificate Authorities (CAs) and browser manufacturers (Chrome, Firefox, Explorer, etc) are retiring support for some older hashing algorithms used to sign website SSL certificates. Our CDN partner will follow suit and start retiring these algorithms by December 27, 2016. This means that customers accessing Rackspace CDN or CloudFiles CDN via HTTPS would need to ensure they are using the latest certificate bundles on their client machines.

Who Does This Affect?

Most users will not be affected by this, as the retirement of SHA–1 has been built into all up-to-date common web browsers. Any users who have not updated their browsers may have problems accessing CDN endpoints after this change is made. It is important to note that this will impact both Rackspace customers (those who pay us directly to host their content on the CDN) and the end users of our customers (our customers’ customers.) We recommend proactively contacting your user base to help them understand the importance of using modern web browsers, and to use this documentation to answer any questions they have regarding this change.

Verifying your Client Browser

Those who are not sure if they are using a browser with the latest certificates can navigate to a test endpoint: https://www.akamai.com. If your browser supports SHA256, you should see a message that the negotiation was successful. If you are unable to access this website, then please read below section about updating your client browser.

Updating Your Client Browser

You can update the certificate bundle in your browser simply by updating your browser. Google provides a free tool to check your current browser, learn more about the importance of keeping your browser up-to-date, and download the latest versions of other browser. Additionally, instructions for installing the most common browsers can be found on their websites: Chrome, FireFox, and Safari.

Certificate bundles for Internet Explorer are managed by the Windows OS, so ensure that you update the OS as well.


The Details

You can see a list of common browsers and the versions that support SHA2 (the family of hash functions that includes SHA256) here.

Rackspace CDN and Cloud Files

On December 27, 2016, our CDN partner will retire SHA–1 on their non-security hardened network. Customers who have setup Cloud Files CDN-enabled containers, and are referencing the Cloud Files HTTP CDN Domain URL with HTTPS will no longer have SHA–1 as an option. This change will not affect the Cloud Files CDN HTTPS URLs or Rackspace CDN with the Shared, SAN, or Custom SSL options.