"insecure hash algorithm…" after 3.4 update…

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
MacVador
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 13, 2023 1:37 pm

"insecure hash algorithm…" after 3.4 update…

Post by MacVador » Fri Oct 13, 2023 1:45 pm

Hi,
we use sometime OpenVPN to connect to our Stormshield (NetASQ) firewall appliance and it worked great. Nevertheless, after upgrading from 3.3.x to 3.4 version, we cannot connect anymore. The error message is "You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm"…
The first problem is that we have no options to select a specific hash algorithm on the appliance, but more, I investigated this specific CA and the reply of openssl is "sha1WithRSAEncryption". The only info I have seen in troubleshooting is about MD5.
So any help or ideas would be appreciated…

PS: I have tried to reimport openvpn config file from the firewall without results. The error is shown only when connection is asked, not for import of profile.
PS2: I see that in the logs "EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]

Halog
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 16, 2023 9:28 am

Re: "insecure hash algorithm…" after 3.4 update…

Post by Halog » Mon Oct 16, 2023 9:32 am

Hello,

we have the same problem.
We have a device with the older Version 3.3. It is still working fine.
On another device run the Version 3.4. There is the same problem as MacVador wrote.

Is there any work around to fix it?

Thanks for helping :-)

esahc
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 16, 2023 10:09 pm

Re: "insecure hash algorithm…" after 3.4 update…

Post by esahc » Mon Oct 16, 2023 10:12 pm

I am having the same issue with receiving the 'insecure hash algorithm in CA signature'

device running new version 3.4, was working just fine on 3.3

I've upgraded the firmware on my router to the latest version, exported and installed new profile, and get this message when I try to connect.

There has to be a fix for this right?

MacVador
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 13, 2023 1:37 pm

Re: "insecure hash algorithm…" after 3.4 update…

Post by MacVador » Tue Oct 17, 2023 9:11 am

"Happy" to see that I am not alone in the Universe… But sad to see that no solution nor workaround proposed…

MacVador
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 13, 2023 1:37 pm

Re: "insecure hash algorithm…" after 3.4 update…

Post by MacVador » Sat Oct 21, 2023 11:37 am

In my case, selection in settings/advanced settings for insecure authorisations has done the job.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: "insecure hash algorithm…" after 3.4 update…

Post by openvpn_inc » Thu Oct 26, 2023 2:25 pm

Hello guys,

The real problem is that certificates are being used that are using a very weak signature. The error message here shows the problem:

EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]

This means a too weak signature is used on the CA certificate. This is no longer secure and you are being correctly warned about this. MD5 is very weak and considered severely compromised.

I would suggest to contact the manufacturer of this device and ask them to look into and solve this so that any CAs or certificates generated by this device are using SHA256 or such for the signature.

If the client you're using is OpenVPN Connect v3.4 there is an option to still allow lower level security settings. But obviously this is not a good idea. Yes, it will work again, but the underlying problem is not solved. This will buy time for the underlying problem to be solved.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

LucG
OpenVpn Newbie
Posts: 1
Joined: Thu Nov 30, 2023 7:01 pm

Re: "insecure hash algorithm…" after 3.4 update…

Post by LucG » Thu Nov 30, 2023 7:14 pm

Hello guys,

I have the same issue,
I change algorithm to SHA1 or SHA256,delete all keys in cert configuration, restart service to generate new certs, but I still have the same issue.
My is Asus router RT-AC66U -firmware 3.0.0.4.382.52287

remote xxxx.asuscomm.com 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30

# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
;compress lzo

auth-user-pass
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>

becm
OpenVPN User
Posts: 40
Joined: Tue Sep 01, 2020 1:27 pm

Re: "insecure hash algorithm…" after 3.4 update…

Post by becm » Sat Dec 02, 2023 11:35 pm

Whatever comes after <ca> will likely still refer to a MD5-signed CA (given that exact error).

Post Reply