The Finnish Digital Agency's time stamping service (TSA) will no longer accept time stamping requests made with the SHA-1 hash algorithm

The Finnish Digital Agency's time stamping service (TSA) will no longer accept time stamping requests made with the SHA-1 hash algorithm. In the Data Exchange Layer test environment (FI-TEST), the support ends on the 14th of August 2024, and in the production environment (FI) on the 28th of August 2024.

The security servers use SHA-512 hash algorithm for timestamping requests by default. Therefore, the change is by default invisible to Data Exchange Layer users. Security server administrators may, however, have also set the value to either SHA-1 or SHA-256 in the security server local configuration. You can check the value used in your security server with the instructions below:

If the file "/etc/xroad/conf.d/local.ini" does not have the configuration line below, the security server uses the default SHA-512 algorithm.

[message-log]
hash-algo-id=SHA-1

If the above configuration is found in the file, fix the situation by switching to use the default algorithm according to the instructions below:

1. Remove the line "hash-algo-id=SHA-1" from the file "/etc/xroad/conf.d/local.ini".
2. Restart the process xroad-proxy.
3. If there are no other settings under the section "[message-log]", that line can also be deleted.

More information: palveluvayla@palveluvayla.fi.