Potential exploitation of certificate with MD5 signature

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
rondeaut
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 19, 2023 1:54 am

Potential exploitation of certificate with MD5 signature

Post by rondeaut » Wed Jul 19, 2023 2:28 am

Hi everyone, I have been investigating the 'ca md too weak' issue - many of our certificates are signed with the MD5 algorithm and are generating this error message with recent builds of OpenVPN. We have started replacing them, and I am also trying to understand what the implications of this vulnerability are, specifically what exploitation of it would look like.

From what I've read, an attacker could generate an arbitrary signed certificate by creating a collision. Assuming that this is correct, would this be sufficient to allow a connection to an OpenVPN server?

I believe they would need a CA root certificate but we use OVPN files that contain this, so they could get that from there. They would also need public and private keys, but I believe they could generate their own.

I also believe that the serial numbers of the certificates in use must be sequential and therefore predictable. I'm not sure why, or what the implications of this are.

If I understand correctly, they would need access to an existing signed certificate in order to create the collision?

Thanks
Top
Post Reply

Return to “Cert / Config management”