Work with client 2.4.6 "md certificates too weak"
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Sep 03, 2018 1:28 pm
Work with client 2.4.6 "md certificates too weak"
became available version of the client 2,4,6. on it produces an error: "md certificates too weak"
Tell me what to do about it.
Tell me what to do about it.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Work with client 2.4.6
You should get stronger certificates. The MD5 signed certificates are so weak it is a security risk. We've given people a very long time to warn them about this and to migrate away to a proper implementation, but now we're reaching a point where we're protecting people from insecure connections.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Sep 03, 2018 1:28 pm
Re: Work with client 2.4.6
What actions should I take to do this?
Creating a new PKI implies a new server?
Can I support old clients with md5 certificates and a new pki?
Creating a new PKI implies a new server?
Can I support old clients with md5 certificates and a new pki?
Last edited by a_roman on Mon Sep 03, 2018 2:00 pm, edited 2 times in total.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Work with client 2.4.6
Read the EasyRSA help.
No .. a new PKI is new CA, certificates and keys of the current server and all clients.
No! and you don't want to either.
Note:
You have had enough time.novaflash wrote: ↑Mon Sep 03, 2018 1:38 pmThe MD5 signed certificates are so weak it is a security risk. We've given people a very long time to warn them about this and to migrate away to a proper implementation, but now we're reaching a point where we're protecting people from insecure connections.
You can still use MD5 but you may as well not use a VPN at all if you do because you will have NO security and be open to attack.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Sep 03, 2018 1:28 pm
Re: Work with client 2.4.6 "md certificates too weak"
And another question. Are there any dependencies when updating the release from 14 to 18?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Sep 03, 2018 1:28 pm
Re: Work with client 2.4.6 "md certificates too weak"
My mistake. I'm sorry. Upgrade Ubuntu Linux 14 to 18.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Work with client 2.4.6 "md certificates too weak"
I presume you mean upgrade Linux 4.14 to 4.18 ..
Or maybe .. you mean Ubuntu 14.04 to 18.04
I don't think there are any complicated dependencies related to Openvpn.
You may find these repos more upto date:
https://community.openvpn.net/openvpn/w ... twareRepos
Or maybe .. you mean Ubuntu 14.04 to 18.04
I don't think there are any complicated dependencies related to Openvpn.
You may find these repos more upto date:
https://community.openvpn.net/openvpn/w ... twareRepos
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Sep 03, 2018 1:28 pm
Re: Work with client 2.4.6 "md certificates too weak"
I mean from 14.04 to 18.04.
-
- OpenVpn Newbie
- Posts: 9
- Joined: Mon Sep 03, 2018 1:28 pm
Re: Work with client 2.4.6 "md certificates too weak"
Our Openvpn is used under the control of webmin. Can I create through it another CA next to the old one?
And then gradually transfer the old customers to a new СA?
Is it possible to use the old configuration parameters from /openvpn-ssl.cnf?
Will two CAs work simultaneously??
And then gradually transfer the old customers to a new СA?
Is it possible to use the old configuration parameters from /openvpn-ssl.cnf?
Will two CAs work simultaneously??
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Work with client 2.4.6 "md certificates too weak"
You still use EasyRSA and then upload the files, taking the webmin out of the way. (Should work but may not)
Yes. You have customers then you should know and understand this by now!
I don't know but probably not. Because that would be with your webmin and that is out of date.
You can stack them but the MD5 certs will still be rejected because of security.
If you want to contact me privately : tincanteksup <at> gmail