OpenSSL: error:0A00018E:SSL routines::ca md too weak

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
a_subscriber
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 15, 2022 9:27 am

OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Mon Aug 15, 2022 9:28 am

Linux Mint 21

Success install openvpn.

Code: Select all

OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

openssl version -a

Code: Select all

OpenSSL 1.1.1q  5 Jul 2022
built on: Mon Aug 15 08:08:28 2022 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific
Now want to connect to remote setup via openvpn.

Code: Select all

sudo openvpn Leo.ovpn 
but get error:

Code: Select all

2022-08-15 09:29:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-15 09:29:10 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-15 09:29:10 WARNING: file 'client.key' is group or others accessible
2022-08-15 09:29:10 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-15 09:29:10 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-15 09:29:10 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-08-15 09:29:10 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-08-15 09:29:10 Cannot load certificate file client.crt
2022-08-15 09:29:10 Exiting due to fatal error
P.S. I check folder. Exist files: client.crt and ca.crt

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by TinCanTech » Mon Aug 15, 2022 10:29 am

a_subscriber wrote:
Mon Aug 15, 2022 9:28 am
ca md too weak
Means your CA key is to weak to provide security. You need a new one.

a_subscriber
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Mon Aug 15, 2022 10:43 am

TinCanTech wrote:
Mon Aug 15, 2022 10:29 am
a_subscriber wrote:
Mon Aug 15, 2022 9:28 am
ca md too weak
Means your CA key is to weak to provide security. You need a new one.
It's impossible because certificate generate by admin. I can't access for this procedure

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by TinCanTech » Mon Aug 15, 2022 10:57 am

Then tell your admin that the vpn is insecure.

a_subscriber
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Mon Aug 15, 2022 1:40 pm

I fix the problem:

I install openvpn ver. 2.4.7 and now no error.

OpenVPN 2.4.7 x86_64-pc-linux-gnu
OpenSSL 1.1.1q 5 Jul 2022

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by TinCanTech » Mon Aug 15, 2022 2:17 pm

Your VPN is still insecure.

a_subscriber
OpenVpn Newbie
Posts: 4
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by a_subscriber » Wed Nov 29, 2023 11:22 am

Is is possible to fix this problem on OpenVpn 2.5.5 (LInux Mint 21) ?

becm
OpenVPN User
Posts: 38
Joined: Tue Sep 01, 2020 1:27 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post by becm » Sat Dec 02, 2023 11:28 pm

A fix would be to nudge the server admin to update the certificate.
You can choose to have inadequate security, have a look at the TLS profiles in the OpenVPN manual.

Post Reply