The OpenSSL version changed form v1.1.x to v3.x, which has much stricter requirements for certificates (by default).
As written in the error message, the (server I think?) certificate CA is rejected for having a weak signature (MD5, SHA1).
openvpn community client - what changed with 2.6.0?
-
becm
- OpenVPN User
- Posts: 40
- Joined: Tue Sep 01, 2020 1:27 pm
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: openvpn community client - what changed with 2.6.0?
Hello becm,
The switch from OpenSSL 1 to 3 brings along with it all the changes in security posture that OpenSSL 3 brings. There are still ways to override default security settings to allow older less secure methods to be used, but this is not advisable.
For more information you can check release notes of OpenSSL 3 and see what changes there were.
If you use MD5 or SHA1 for your CA signing, you may be able to get things working with some settings to tell OpenSSL to ignore stuff and implement legacy methods. But generally that is not advisable. That's basically just ignoring the problem instead of solving it by going to a CA with SHA256 for example.
OpenVPN Connect for example has the concept of security level. In the configuration you can then set it to the lowest possible security setting to still allow certain older security methods to be used, although that is not advisable.
Kind regards,
Johan
The switch from OpenSSL 1 to 3 brings along with it all the changes in security posture that OpenSSL 3 brings. There are still ways to override default security settings to allow older less secure methods to be used, but this is not advisable.
For more information you can check release notes of OpenSSL 3 and see what changes there were.
If you use MD5 or SHA1 for your CA signing, you may be able to get things working with some settings to tell OpenSSL to ignore stuff and implement legacy methods. But generally that is not advisable. That's basically just ignoring the problem instead of solving it by going to a CA with SHA256 for example.
OpenVPN Connect for example has the concept of security level. In the configuration you can then set it to the lowest possible security setting to still allow certain older security methods to be used, although that is not advisable.
Kind regards,
Johan
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support