openssl new versions consider md certificates too weak

Scripts to manage certificates or generate config files
hakster
OpenVpn Newbie
Posts: 1
Joined: Wed Apr 26, 2017 2:52 pm

openssl new versions consider md certificates too weak

Postby hakster » Wed Apr 26, 2017 3:01 pm

A user who upgraded openssl from 1.02 to 1.1.0 found that openvpn could not connect. Seems openssl does not allow md5 signed certificates. Assuming the server certs cannot get re-issued with SHA (easily), is there a workaround, such as relaxing openssl 1.1.0, short of a revert to the older version?

Relevant logging:

nm-openvpn[4287]: library versions: OpenSSL 1.1.0e 16 Feb 2017, LZO 2.10
nm-openvpn[4287]: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
nm-openvpn[4287]: Cannot load certificate file /path/cert.crt

ku4eto
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 01, 2017 11:28 am

Re: openssl new versions consider md certificates too weak

Postby ku4eto » Sat Jul 01, 2017 11:36 am

I ran into this issue as well. Using Cyberoam certs, it worked a month ago, but after updating, doesnt even try to connect. Logs below.
14:31 OpenVPN 2.5-icsopenvpn [git:icsopenvpn-d51333c645c12713+] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jun 26 2017
14:31 library versions: OpenSSL 1.1.0f 25 May 2017, LZO 2.10
14:31 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
14:31 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
14:31 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
14:31 OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes
14:31 Cannot load inline certificate file
14:31 Exiting due to fatal error

It would be good if we get a fix for this.

Curtj
OpenVpn Newbie
Posts: 1
Joined: Wed Jul 05, 2017 1:05 am

Re: openssl new versions consider md certificates too weak

Postby Curtj » Wed Jul 05, 2017 1:20 am

I had this problem with the OpenVPN for Android app. See the explanation in the following link.
http://ics-openvpn.blinkt.de/FAQ.html

I circumvented/fixed the problem by editing the openssl-1.0.0.cnf file in my easy-rsa directory and changing "default_md" from md5 to sha256 and then regenerating my certificates.

ku4eto
OpenVpn Newbie
Posts: 2
Joined: Sat Jul 01, 2017 11:28 am

Re: openssl new versions consider md certificates too weak

Postby ku4eto » Tue Jul 11, 2017 6:23 am

Curtj wrote:I had this problem with the OpenVPN for Android app. See the explanation in the following link.
http://ics-openvpn.blinkt.de/FAQ.html

I circumvented/fixed the problem by editing the openssl-1.0.0.cnf file in my easy-rsa directory and changing "default_md" from md5 to sha256 and then regenerating my certificates.

Perfect, in the FAQ there is actually information how to go around it:
tls-cipher "DEFAULT:@SECLEVEL=0"
In the advanced > custom settings.
Good solution, when you cant re-issue the certificates. Thanks a bunch.


Return to “Cert / Config management”

Who is online

Users browsing this forum: No registered users and 1 guest