Unsupported CloudFront Signing Algorithm (SHA1)

When WP Offload Media has been correctly set up to serve private media from CloudFront, it may still be the case that the site’s server configuration does not support the signing algorithm that CloudFront currently requires.

If this is the case, WP Offload Media will display a notice with the following text when it performs its checks that everything is working as expected.

It is currently not possible to serve private media from CloudFront because the server does not support the required signing algorithm.

The problem stems from CloudFront only supporting the SHA1 signing algorithm for signing CloudFront URLs. On an increasing number of servers, the SHA1 algorithm is disabled by default at both the native OpenSSL library level, and in the way PHP is compiled with the OpenSSL library, as it is deemed an insecure legacy algorithm.

How to Resolve

At present, there are two known ways to resolve the issue and re-enable delivery of signed private media.

Re-Enable the SHA1 Signing Algorithm on the Server

Ask your server administrator to re-enable the SHA1 algorithm in the OpenSSL library used by PHP.

Turn Off the Serve Private Media from CloudFront Setting

Turning off the Serve Private Media from CloudFront setting will enable WP Offload Media to serve private media using signed expiring URLs from the S3 bucket.

This is a temporary solution until either your server admin can re-enable the SHA1 signing algorithm on the server, or CloudFront enables other signing algorithms on the service, updates the AWS PHP SDK to support them, and WP Offload Media integrates the new AWS PHP SDK with any changes that may be required.