Hi,
we use sometime OpenVPN to connect to our Stormshield (NetASQ) firewall appliance and it worked great. Nevertheless, after upgrading from 3.3.x to 3.4 version, we cannot connect anymore. The error message is "You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm"…
The first problem is that we have no options to select a specific hash algorithm on the appliance, but more, I investigated this specific CA and the reply of openssl is "sha1WithRSAEncryption". The only info I have seen in troubleshooting is about MD5.
So any help or ideas would be appreciated…
PS: I have tried to reimport openvpn config file from the firewall without results. The error is shown only when connection is asked, not for import of profile.
PS2: I see that in the logs "EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]
"insecure hash algorithm…" after 3.4 update…
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 13, 2023 1:37 pm
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Oct 16, 2023 9:28 am
Re: "insecure hash algorithm…" after 3.4 update…
Hello,
we have the same problem.
We have a device with the older Version 3.3. It is still working fine.
On another device run the Version 3.4. There is the same problem as MacVador wrote.
Is there any work around to fix it?
Thanks for helping
we have the same problem.
We have a device with the older Version 3.3. It is still working fine.
On another device run the Version 3.4. There is the same problem as MacVador wrote.
Is there any work around to fix it?
Thanks for helping
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Oct 16, 2023 10:09 pm
Re: "insecure hash algorithm…" after 3.4 update…
I am having the same issue with receiving the 'insecure hash algorithm in CA signature'
device running new version 3.4, was working just fine on 3.3
I've upgraded the firmware on my router to the latest version, exported and installed new profile, and get this message when I try to connect.
There has to be a fix for this right?
device running new version 3.4, was working just fine on 3.3
I've upgraded the firmware on my router to the latest version, exported and installed new profile, and get this message when I try to connect.
There has to be a fix for this right?
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 13, 2023 1:37 pm
Re: "insecure hash algorithm…" after 3.4 update…
"Happy" to see that I am not alone in the Universe… But sad to see that no solution nor workaround proposed…
-
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Oct 13, 2023 1:37 pm
Re: "insecure hash algorithm…" after 3.4 update…
In my case, selection in settings/advanced settings for insecure authorisations has done the job.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1332
- Joined: Tue Feb 16, 2021 10:41 am
Re: "insecure hash algorithm…" after 3.4 update…
Hello guys,
The real problem is that certificates are being used that are using a very weak signature. The error message here shows the problem:
EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]
This means a too weak signature is used on the CA certificate. This is no longer secure and you are being correctly warned about this. MD5 is very weak and considered severely compromised.
I would suggest to contact the manufacturer of this device and ask them to look into and solve this so that any CAs or certificates generated by this device are using SHA256 or such for the signature.
If the client you're using is OpenVPN Connect v3.4 there is an option to still allow lower level security settings. But obviously this is not a good idea. Yes, it will work again, but the underlying problem is not solved. This will buy time for the underlying problem to be solved.
Kind regards,
Johan
The real problem is that certificates are being used that are using a very weak signature. The error message here shows the problem:
EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]
This means a too weak signature is used on the CA certificate. This is no longer secure and you are being correctly warned about this. MD5 is very weak and considered severely compromised.
I would suggest to contact the manufacturer of this device and ask them to look into and solve this so that any CAs or certificates generated by this device are using SHA256 or such for the signature.
If the client you're using is OpenVPN Connect v3.4 there is an option to still allow lower level security settings. But obviously this is not a good idea. Yes, it will work again, but the underlying problem is not solved. This will buy time for the underlying problem to be solved.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Nov 30, 2023 7:01 pm
Re: "insecure hash algorithm…" after 3.4 update…
Hello guys,
I have the same issue,
I change algorithm to SHA1 or SHA256,delete all keys in cert configuration, restart service to generate new certs, but I still have the same issue.
My is Asus router RT-AC66U -firmware 3.0.0.4.382.52287
remote xxxx.asuscomm.com 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
;compress lzo
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>
I have the same issue,
I change algorithm to SHA1 or SHA256,delete all keys in cert configuration, restart service to generate new certs, but I still have the same issue.
My is Asus router RT-AC66U -firmware 3.0.0.4.382.52287
remote xxxx.asuscomm.com 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
;compress lzo
auth-user-pass
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>
-
- OpenVPN User
- Posts: 40
- Joined: Tue Sep 01, 2020 1:27 pm
Re: "insecure hash algorithm…" after 3.4 update…
Whatever comes after <ca> will likely still refer to a MD5-signed CA (given that exact error).