Loading

Mutual SSL Fails After Upgrading if Certificates Signed with SHA-1

Publiceringsdatum: Apr 30, 2025
Beskrivning
Beginning with Tableau Server 2020.4 and later, Tableau Server set up for mutual SSL authentication will not allow authentication of users with client certificates using the SHA1 signing algorithm. 

Logging in will result in an "Unable to sign in" error, and the following error will be visible in the VizPortal logs: 
Unsupported client certificate signature detected: [certificate Signature Algorithm name]

Cause

To improve security, Tableau Server starting in version 2020.4 and later will no longer support the insecure signing algorithm SHA-1 for mutual SSL. 
Lösning

Option 1: Update your certificates
If you are using Tableau Server with mutual SSL authentication, we recommend updating your certificates to use SHA256 (or stronger) signatures before upgrading to Tableau Server 2020.4 or later.
 

Option 2: Disable has blocklisting as a temporary workaround

As a temporary measure, you can disable signature hash blocklisting with the following command:

tsm configuration set -k "ssl.client_certificate_login.blocklisted_signature_algorithms" -v ""


After certificates are updated to use a secure algorithm, re-enable blocklisting with the following command:

tsm configuration set -k “ssl.client_certificate_login.blocklisted_signature_algorithms” -v “sha1withrsaencryption,sha1withrsa”


NOTE: You can see which of your signature hashes are blocklisted with the following command:

tsm configuration get -k "ssl.client_certificate_login.blocklisted_signature_algorithms"

Ytterligare resurser
For more information on why Tableau is ending support for SHA-1 signatures, see NIST Policy on Hash Functions.
Knowledge-artikelnummer

001534685

 
Laddar
Salesforce Help | Article