OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

jack07
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 16, 2023 9:55 pm

OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by jack07 » Wed Aug 16, 2023 10:03 pm

I had ASUS Blue Cave of a router with RSA 2048 bit of OpenVPN.
When I upgraded OpenVPN Connect from 3.3.7 to 3.4 will get a error with connect.
"You are using insecure hash algorithm in CA signature.
Please regenerate CA with other hash algorithm"
When I unistall OpenVPN and install OpenVPN Connect 3.3.7. Everything is work fine.
Anyone, does any idea how to fix this problem?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1321
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by openvpn_inc » Tue Aug 22, 2023 2:51 am

Hello,

Security is something that changes over time. What was considered secure and uncrackable 10 years ago may have been revealed to have some exploit or flaw that makes it less secure now. For example at one point in time MD5 hashing was considered secure. Now it is considered weak. Why? Mainly because computing equipment has become much faster at calculating hashes than it was in the past but also because it's not a very strong hashing method. SHA256 and such replaced it.

Newer OpenVPN client software will check for things that are no longer considered secure and will warn you about it. Warnings eventually turn into hard failures as people continue to use it while ignoring warnings. You've reached this point. It is very likely that you're using MD5 hash for the signature in the CA you're currently using. It is very strongly advised that you solve this.

There is the option to go into the OpenVPN Connect settings and set the security level to its lowest possible setting. Things might then still work but you're basically on borrowed time already. You should act and fix this.

Check with ASUS is there have a newer firmware that can generate a CA that has a better signature hash method like SHA256 or such. Or see if you can upload your own. Or if this device is really old, replace it with something newer that does do signature hashing with a more secure method.

Or, you can stick your head in the ground and pretend to be an ostrich and just ignore the hell out of this and install an older version of the software and gamble with the security of your VPN solution. Ultimately the choice is yours.

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

robertjm
OpenVpn Newbie
Posts: 6
Joined: Fri May 22, 2015 5:20 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by robertjm » Wed Sep 13, 2023 3:20 am

I'm a little confused on this one.

I'm running an M2 Macbook Air using v3.4.2, and it's connecting just fine. But, I tried setting up our accountant's M1 MacBook Pro and it's getting the insecure hash algothrithm message.

In both cases I am using the same OpenVPN configuration file for the connection; which was generated on an M1 Mac Mini computer.

Where is this hash being generated which is screwing up the M1 installation?

Robert

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1321
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by openvpn_inc » Thu Sep 14, 2023 7:34 pm

Hello robertjm,

In a nutshell, whoever or whatever has set up your VPN server had to have generated the certificates. And they were created with an insecure algorithm. You're basically in a situation where your certificates are currently not secure and you should replace them.

Alternatively you can look in the options of OpenVPN Connect and set the security level to a lower setting. That may make it work again for now, but eventually that won't work anymore either with future releases. That's because eventually the underlying library that does the certificate checking will remove support for such an old algorithm. It's just a matter of time.

You could also dig around for an older version of the client, but then you don't get software updates on that and the problem still exists. So it's better to look into replacing those certs. And it would have to be done on the server side and then clients also need a new set of key and cert.

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

robertjm
OpenVpn Newbie
Posts: 6
Joined: Fri May 22, 2015 5:20 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by robertjm » Fri Sep 15, 2023 12:23 am

Thanks!

I set the server up a couple of years ago. It's on a Late 2012 Mac Mini, so think the max. O/S it can run is macOS Catalina.

But, I'm still not understanding why I'm able to connect using my M2 MacBook Air using the exact same config which bombed out on accountant's M1 MacBook Pro. I wouldn't have dumbed down the security to get mine working. At least I sure don't remember doing that.

I'll have to remote into the server later tonight and look over the settings.

Robert
openvpn_inc wrote:
Thu Sep 14, 2023 7:34 pm
Hello robertjm,

In a nutshell, whoever or whatever has set up your VPN server had to have generated the certificates. And they were created with an insecure algorithm. You're basically in a situation where your certificates are currently not secure and you should replace them...

AI_1
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 09, 2023 11:34 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AI_1 » Mon Oct 09, 2023 11:35 pm

Have you solved the issue?

I have almost exactly the same
One M1 MacBook Air works well with the VPN profile
while another M1 Max MacBook shows the error message.

I'm totally puzzled.
robertjm wrote:
Fri Sep 15, 2023 12:23 am
But, I'm still not understanding why I'm able to connect using my M2 MacBook Air using the exact same config which bombed out on accountant's M1 MacBook Pro. I wouldn't have dumbed down the security to get mine working. At least I sure don't remember doing that.

I'll have to remote into the server later tonight and look over the settings.

Robert
openvpn_inc wrote:
Thu Sep 14, 2023 7:34 pm
Hello robertjm,

In a nutshell, whoever or whatever has set up your VPN server had to have generated the certificates. And they were created with an insecure algorithm. You're basically in a situation where your certificates are currently not secure and you should replace them...

robertjm
OpenVpn Newbie
Posts: 6
Joined: Fri May 22, 2015 5:20 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by robertjm » Tue Oct 10, 2023 12:39 am

Unfortunately I haven't been able to get the user's personal computer back to try and work on it again. :-(

robertjm
OpenVpn Newbie
Posts: 6
Joined: Fri May 22, 2015 5:20 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by robertjm » Tue Oct 10, 2023 12:41 am

Unfortunately, I haven't had a chance to get the user's laptop back to try and work on it again. :-( But, I need to in the next few days.

Robert
AI_1 wrote:
Mon Oct 09, 2023 11:35 pm
Have you solved the issue?

I have almost exactly the same
One M1 MacBook Air works well with the VPN profile
while another M1 Max MacBook shows the error message.

I'm totally puzzled.

Verysecure
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 19, 2023 4:27 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by Verysecure » Fri Oct 20, 2023 11:08 am

I experienced the same. I'm using the OpenVPN server on my Asus router.
Not being an expert, this is what I did to revert it to a working situation again.
Note that it failed on my iOS device (v3.4.0) yet still work on the Windows client (v3.3.7). So, also the Windows client would fail as soon as there would be an update. There is actually a pretty clear Warning message still visible on Windows: "WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future". I had noted that before but ignored it... Up till now.

Steps to resolve using my Asus router as example:
On the Asus router
1. Change from SHA1 to SHA256
1a. Go to VPN / VPN Server / OpenVPN / VPN details: advanced / HMAC authentication: change to SHA256
1b. Click Apply
2 Renew the certificate
2a. Go to VPN / VPN Server / OpenVPN and click Renew Certification
3. Export a new 'OpenVPN configuration file'
3a. Go to VPN / VPN Server / OpenVPN and click Export OpenVPN configuration file
3b. Store the .ovpn file with some logical name
4. Optionally you can change the username and password for OpenVPN access, that should probably happen before you export the .ovpn file.
On the OpenVPN clients
1. Send the .ovpn config file to the client device
2. On the OpenVPN client program, suggest to delete the previous profile and install the new profile from the .ovpn file
2a. Process is a bit different for Windows (just upload the file to the Client) and iOS (send the .ovpn file by email, hard-delete email thereafter)

@others: please update/improve were needed!

AWDSOME
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Sat Nov 04, 2023 5:33 pm

Thanks for these instructions, I'm having the same issue. I followed them, but I do not have the option to "Renew Certification". I think this is still my outstanding issue even though I cranked up the settings as follows from the configure file:

Code: Select all

remote mydomain.com 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
comp-lzo adaptive
auth-user-pass
client
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...
Any suggestions on how to generate the cert if that is my issue? Can I use RSA 2048 via PuttyGen? I can manually alter it in the ASUS config, but not generate. Thanks in advance.

AWDSOME
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Sat Nov 04, 2023 5:45 pm

Ugh... I was able to regenerate the certificates on the Asus router. I needed to stop the service from running, blow out the certs, and then start the service again and it created them with the new parameters.... however, I'm still getting the error in OpenVPN. :-(

Thoughts based on the above config?

Andy90
OpenVpn Newbie
Posts: 2
Joined: Sun Nov 05, 2023 8:50 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by Andy90 » Sun Nov 05, 2023 8:51 am

I have the same issue, two months ago this was work, right now not -
I change algorithm to SHA256,delete all keys in cert configuration, restart service to generate new certs, but I still have the same issue.
Which router you have ? My is Asus RT-AC1750U

Andy90
OpenVpn Newbie
Posts: 2
Joined: Sun Nov 05, 2023 8:50 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by Andy90 » Sun Nov 05, 2023 12:39 pm

I solved this. I've installed the Open VPN GUI, and in profile file .ovpn I've added on end of lines this script

tls-cipher "DEFAULT:@SECLEVEL=0"

right now my connection works well.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1321
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by openvpn_inc » Mon Nov 06, 2023 12:59 pm

Hello Andy90,

Those settings basically set back the security level of OpenSSL to a much lower level, allowing known insecure certificates and settings to be used again. I would not call that solving the issue, I would call that working around it, maybe even ignoring it.

If you're happy to live with this, then okay. Just be aware that in the future it may not even be possible to do this trick anymore as eventually known insecure methods may get removed entirely. Consider this the right moment to invest some time into figuring out if your existing device can be configured to use something secure, or replace the device with something newer that uses something secure.

I felt like I had to clarify that for visitors of this forum.

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

TrowbridgeNick
OpenVpn Newbie
Posts: 1
Joined: Mon Nov 06, 2023 9:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by TrowbridgeNick » Mon Nov 06, 2023 9:31 pm

If it helps anyone else, I was having trouble with the 'Renew Certification' stage above, but upgraded the router firmware and the option to renew then became available.

Verysecure
OpenVpn Newbie
Posts: 4
Joined: Thu Oct 19, 2023 4:27 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by Verysecure » Tue Nov 07, 2023 8:03 am

On renewing the certificate as mentioned in my post earlier: this was on an Asus RT-AC88U router running (the most recent) 3.0.0.4.386_48260 firmware. As far as I recall, no special steps needed to renew the certificate. Apologies for not being able to be more specific.

AWDSOME
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Sat Nov 18, 2023 9:24 pm

I still can't figure this out. I'm running an ASUS RT-AC66U Router.

@openvpn_inc - Do you see anything insecure with the config I posted above on Nov 4th? I don't... so really lost where to go from here.

Thanks.

ooounohu
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2023 9:29 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by ooounohu » Wed Nov 29, 2023 10:00 pm

Also experiencing this behavior with iOS app 3.4.1.5463 and ASUS RT-ACRH17 3.0.0.4.382_52517-gb4d36a6.

I know the router and its firmware is older. There are no updates for this model. OpenVPN is version 2.4.7 and OpenSSL is version 1.0.2u. At least, that's what I've gleaned from the system log available in the router GUI.

There is no "Renew Certificates" button but I believe I have successfully renewed them via the "Content modification of Keys & Certification." link in the VPN GUI configuration. I just deleted all of the content within, click "Apply", waited for the router to restart the service and build the new certs.

Unfortunately, like others have reported here, that has not resolved the behavior. The iOS client still complains about the CA signature.

Next, I pulled the certs out of the generated .opvn file and found that the CA and server certs are using a signature algorithm of "SHA1 with RSA" despite the router GUI configuration using nothing but SHA 256 for all applicable settings. Honestly, I don't know if this is the cause of the behavior or not.

Code: Select all

$ openssl x509 -in ca.crt -noout -text | grep Signature
Signature Algorithm: sha1WithRSAEncryption
Here is what I believe to be the OpenVPN configuration file generated by the GUI:

Code: Select all

# Automatically generated configuration

# Tunnel options
proto udp4
multihome
port 1194
dev tun21
sndbuf 0
rcvbuf 0
keepalive 10 30
up '/etc/openvpn/ovpn-up'
down '/etc/openvpn/ovpn-down'
setenv ovpn_type 0
setenv unit 1
script-security 2
daemon vpnserver1
verb 3
status-version 2
status status 10
comp-lzo adaptive
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

# Server Mode
server 10.8.0.0 255.255.255.0
client-config-dir ccd
client-to-client
duplicate-cn
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"

# Data Channel Encryption Options
auth SHA256
cipher AES-256-CBC

# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key
The OpenVPN states the OpenSSL library is capable of the following TLS ciphers but I'll note that the ciphers available in the GUI are limited to only the CBC variants:

Code: Select all

# openvpn --show-tls
Available TLS Ciphers, listed in order of preference:

For TLS 1.2 and older (--tls-cipher):

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
At this point, I feel I've learned enough to be dangerous but I really don't know if anything I'm theorizing is accurate. So, I'm not sure where to go from here. I would like to continue to use the OpenVPN server available in my ASUS router without decreasing the security setting within the newer client.

AWDSOME
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Wed Nov 29, 2023 11:34 pm

ooounohu wrote:
Wed Nov 29, 2023 10:00 pm
Next, I pulled the certs out of the generated .opvn file and found that the CA and server certs are using a signature algorithm of "SHA1 with RSA" despite the router GUI configuration using nothing but SHA 256 for all applicable settings. Honestly, I don't know if this is the cause of the behavior or not.
That's a good find. I wonder if this is a case of our routers not producing the right algorithm. But I'm in the same boat as you, my router hasn't had an update in years.
ooounohu wrote:
Wed Nov 29, 2023 10:00 pm
At this point, I feel I've learned enough to be dangerous but I really don't know if anything I'm theorizing is accurate. So, I'm not sure where to go from here. I would like to continue to use the OpenVPN server available in my ASUS router without decreasing the security setting within the newer client.
Same here. OpenVPN Support - Can you please check over and verify that our configs look as expected? We could also send you our keys (privately) to verify they would be okay or not.

ooounohu
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2023 9:29 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by ooounohu » Fri Dec 01, 2023 11:20 pm

AWDSOME wrote:
Wed Nov 29, 2023 11:34 pm
Same here. OpenVPN Support - Can you please check over and verify that our configs look as expected? We could also send you our keys (privately) to verify they would be okay or not.
With no offence slung toward the excellent heroes in this OpenVPN Community Support Forum, I suspect we're either:
  1. In the wrong section as our experience is actually caused by the OpenVPN server embedded in our routers.
  2. On our own to support our aged OpenVPN server embedded in our routers.
  3. All of the above.

Post Reply