IMPORTANT - SSL Certificate Renewal and SHA-2

Guillaume Brossard    ●    Jan 8, 2016
On Wednesday February 10th 2016, Shotgun will renew the SSL Certificate for the *.shotgunstudio.com domain. In order to improve the security of our platform, the new certificate will be using SHA-2 encryption.

It was previously using SHA-1, which means this can be a breaking change for some clients using the SG API and/or SG Toolkit.

Web UI accessed through a browser should not be a problem since they have been supporting SHA-2 for a while.

Detailed Information on SSL

More Details on SSL
The purpose of the SSL Certificate is to certify users are really communicating with Shotgun. By validating a certificate against Certified Authorities, you can be sure of who you are interacting with. The certificates are encrypted, to prevent forgery.

That identity validation is one of the first step taken when establishing any secure connection (https) to a server. When users communicate with their Shotgun site(s) they are establishing a secure connection - either through the browser, Shotgun’s Toolkit, or the Shotgun API.

In order to certify the identity of the server, applications connecting to Shotgun need to be able to decrypt the SSL Certificate to ensure an authentic connection.

Why is this change necessary?
SHA-1 is known to be weaker that it’s SHA-2 counterpart, and as a result, the community has decided to deprecate SHA-1. Already, a lot of browsers are flagging this as a minor security risk. In addition, Certificate Authorities are no longer signing certificates encrypted using SHA-1.

Read more about it here: http://www.superb.net/blog/2015/02/17/ssl-certificates-sha-2-why-should-i-upgrade/

Possible Impacts

Why can this be a breaking change?
SHA-2 is a more secure, yet newer algorithm. This means older versions of Python, including Python interpreters embedded in your Digital Content Creation Tools (DCC) may not support SHA-2 correctly. We have provided a list of applications and libraries that we know to be at risk for breaking at the end of this publication. If you are using one of these tools, you may no longer be able to establish connections to your Shotgun site through Toolkit or the SG API. Even if your tools are not listed, it is better to check if you will be impacted.

How can I know if my studio will be impacted?
We’ve given users access to a small Python script that will allow you to test if you will be impacted by this change. You can run this script within any Python environment in your studio, including DCC consoles and script editors. The output will indicate if the environment will break once the SHA-2 certificate is in place and if so verify whether a workaround for the issue is possible.

Be sure to test any operating system on which Shotgun Toolkit and Shotgun API are used, as well as all DCC versions currently in use, even if not present in the list of applications at risk.

The script can be downloaded or copy and pasted from:

https://gist.github.com/robblau/01ac5b583bc9e6a00d11

My studio is impacted… now what?
We suggest that users update the version of the tool(s) being used. Since the community has embraced this transition to SHA-2, it is likely this issue has been fixed in the latest versions of these tools.
If you are unable to update for any reason, please reach out to Shotgun Support. There are known workarounds and we will inform you of alternative options.

Known Applications and Tools at risk

- Python 2.5 and below
- Python 2.6 on Windows and Mac
- OpenSSL version prior to 0.9.8o
- Maya 2013 and below (Windows and Mac)
- Motion Builder 2013 and below (Windows)
- Nuke 6.3v9 and below (Windows and Mac)
- Houdini 12.5 and below (Windows and Linux)
- Hiero 1.9v1 and below (probably Windows only) 
- Softimage 2013 and below (probably Windows only)