OpenSSL: error:0A00018E:SSL routines::ca md too weak

Use this forum to share your VPN or network disasters. Show diagrams, traffic graphs, or whatever else you need (a video of you letting the 'smoke' out of our network gear).
Post Reply
a_subscriber
OpenVpn Newbie
Posts: 3
Joined: Mon Aug 15, 2022 9:27 am

OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Mon Aug 15, 2022 9:28 am

Linux Mint 21

Success install openvpn.

Code: Select all

OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

openssl version -a

Code: Select all

OpenSSL 1.1.1q  5 Jul 2022
built on: Mon Aug 15 08:08:28 2022 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific
Now want to connect to remote setup via openvpn.

Code: Select all

sudo openvpn Leo.ovpn 
but get error:

Code: Select all

2022-08-15 09:29:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-15 09:29:10 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-15 09:29:10 WARNING: file 'client.key' is group or others accessible
2022-08-15 09:29:10 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-15 09:29:10 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-15 09:29:10 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-08-15 09:29:10 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-08-15 09:29:10 Cannot load certificate file client.crt
2022-08-15 09:29:10 Exiting due to fatal error
P.S. I check folder. Exist files: client.crt and ca.crt

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by TinCanTech » Mon Aug 15, 2022 10:29 am

a_subscriber wrote:
Mon Aug 15, 2022 9:28 am
ca md too weak
Means your CA key is to weak to provide security. You need a new one.

a_subscriber
OpenVpn Newbie
Posts: 3
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Mon Aug 15, 2022 10:43 am

TinCanTech wrote:
Mon Aug 15, 2022 10:29 am
a_subscriber wrote:
Mon Aug 15, 2022 9:28 am
ca md too weak
Means your CA key is to weak to provide security. You need a new one.
It's impossible because certificate generate by admin. I can't access for this procedure

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by TinCanTech » Mon Aug 15, 2022 10:57 am

Then tell your admin that the vpn is insecure.

a_subscriber
OpenVpn Newbie
Posts: 3
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Mon Aug 15, 2022 1:40 pm

I fix the problem:

I install openvpn ver. 2.4.7 and now no error.

OpenVPN 2.4.7 x86_64-pc-linux-gnu
OpenSSL 1.1.1q 5 Jul 2022

TinCanTech
Forum Team
Posts: 11124
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by TinCanTech » Mon Aug 15, 2022 2:17 pm

Your VPN is still insecure.

Post Reply