OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

ooounohu
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2023 9:29 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by ooounohu » Fri Dec 08, 2023 4:48 pm

This is the root cause of our experience (in my case, an ASUS RT-ACRH17 with 3.0.0.4.382_52517 firmware which includes OpenVPN 2.4.7 and OpenSSL 1.0.2u): default_md = md5 which resides in /etc/openssl.cnf.

Changing settings and regenerating keys within the GUI will not help the situation because OpenSSL will ALWAYS use MD5 for signatures.

Now on the hunt for a proper method to generate proper certs and keys.

The /etc/openssl.cnf file is write protected in this case so it's not as simple as adjusting the md5 to sha256 and regenerating keys and certs.

All of the Keys and Certification objects are stored as files on the router in /etc/openvpn/server1:
  • Certificate Authority: ca.crt
  • Server Certificate: server.crt
  • Server Key: server.key
  • Diffie Hellman parameters: dh.pem
I suspect there is a way to use the OpenSSL binaries within the router firmware to generate proper certs and keys so I'm going down that road first. If that doesn't work then I suspect another computer could be used to generate proper certs and keys. I assume they can be jammed into the "Content Modification of Keys & Certification" interface to allow the router to create a proper client.ovpn file OR jammed into the client.ovpn file post download.

This shouldn't be difficult. I just don't know OpenSSL well enough to do it at the moment.

usr
OpenVpn Newbie
Posts: 1
Joined: Thu Dec 28, 2023 7:49 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by usr » Thu Dec 28, 2023 8:20 pm

ooounohu wrote:
Fri Dec 08, 2023 4:48 pm
This is the root cause of our experience (in my case, an ASUS RT-ACRH17 with 3.0.0.4.382_52517 firmware which includes OpenVPN 2.4.7 and OpenSSL 1.0.2u): default_md = md5 which resides in /etc/openssl.cnf.
I have the same OpenVPN and OpenSSL versions on my ASUS RT-AC1300GPLUS.
I ran "openssl x509 -in ca.crt -noout -text | grep Signature" and I got the same Signature Algorithm: sha1WithRSAEncryption.

Did you make any progress on this, or find a workaround?

For your model specifically, you may be able to install openwrt which could help, it seems like your model is supported: https://openwrt.org/toh/hwdata/asus/asus_rt-ac42u

ooounohu
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2023 9:29 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by ooounohu » Fri Jan 12, 2024 4:59 pm

usr wrote:
Thu Dec 28, 2023 8:20 pm
Did you make any progress on this, or find a workaround?

For your model specifically, you may be able to install openwrt which could help, it seems like your model is supported: https://openwrt.org/toh/hwdata/asus/asus_rt-ac42u
I have not spent any additional time/effort on it. I've somewhat landed on purchasing a new router with similar OpenVPN capabilities or just standing up a separate host. Not to ding OpenVPN in any way, I've also considered Tailscale as an alternative.

Thanks for the link to OpenWRT. I'll check it out as well.

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Mon Feb 05, 2024 10:44 pm

Verysecure wrote:
Fri Oct 20, 2023 11:08 am
I experienced the same. I'm using the OpenVPN server on my Asus router.
Not being an expert, this is what I did to revert it to a working situation again.
Note that it failed on my iOS device (v3.4.0) yet still work on the Windows client (v3.3.7). So, also the Windows client would fail as soon as there would be an update. There is actually a pretty clear Warning message still visible on Windows: "WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future". I had noted that before but ignored it... Up till now.

Steps to resolve using my Asus router as example:
On the Asus router
1. Change from SHA1 to SHA256
1a. Go to VPN / VPN Server / OpenVPN / VPN details: advanced / HMAC authentication: change to SHA256
1b. Click Apply
2 Renew the certificate
2a. Go to VPN / VPN Server / OpenVPN and click Renew Certification
3. Export a new 'OpenVPN configuration file'
3a. Go to VPN / VPN Server / OpenVPN and click Export OpenVPN configuration file
3b. Store the .ovpn file with some logical name
4. Optionally you can change the username and password for OpenVPN access, that should probably happen before you export the .ovpn file.
On the OpenVPN clients
1. Send the .ovpn config file to the client device
2. On the OpenVPN client program, suggest to delete the previous profile and install the new profile from the .ovpn file
2a. Process is a bit different for Windows (just upload the file to the Client) and iOS (send the .ovpn file by email, hard-delete email thereafter)

@others: please update/improve were needed!
I have the exact same router running firmware Version : 9.0.0.4.386_41994-g769f84f
Changed the to SHA256 but I cannot find Renew Certification.
Download a new configuration file and import to openvpn app on both iOS and android but still get the same insecure hash error so I guess the critical part is renew certificate which I cannot find if anyone can offer help ?

AWDSOME
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Tue Feb 06, 2024 6:42 pm

devbias wrote:
Mon Feb 05, 2024 10:44 pm
I have the exact same router running firmware Version : 9.0.0.4.386_41994-g769f84f
Changed the to SHA256 but I cannot find Renew Certification.
Download a new configuration file and import to openvpn app on both iOS and android but still get the same insecure hash error so I guess the critical part is renew certificate which I cannot find if anyone can offer help ?
It's earlier on in this thread, as I had the same issue....
ooounohu wrote:
Wed Nov 29, 2023 10:00 pm
I just deleted all of the content within, click "Apply", waited for the router to restart the service and build the new certs.
Still didn't solve this issue though. Seems like we're SOL with these older routers. I still haven't gotten it resolved.

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Tue Feb 06, 2024 7:14 pm

I have now managed to get the renew certification button with the latest firmware.
Set up as per verysecures post.
The insecure hash message has now gone on my openvpn client app but it never connects successfully. I read the log on my router and it reports TLS handshake error.
So I have gone from a vulnerable openvpn to nothing at all now :roll:

Does anyone have a screen shot of a working RT-AC88U I can compare the advanced settings

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Tue Feb 06, 2024 7:16 pm

AWDSOME wrote:
Tue Feb 06, 2024 6:42 pm
devbias wrote:
Mon Feb 05, 2024 10:44 pm
I have the exact same router running firmware Version : 9.0.0.4.386_41994-g769f84f
Changed the to SHA256 but I cannot find Renew Certification.
Download a new configuration file and import to openvpn app on both iOS and android but still get the same insecure hash error so I guess the critical part is renew certificate which I cannot find if anyone can offer help ?
It's earlier on in this thread, as I had the same issue....
ooounohu wrote:
Wed Nov 29, 2023 10:00 pm
I just deleted all of the content within, click "Apply", waited for the router to restart the service and build the new certs.
Still didn't solve this issue though. Seems like we're SOL with these older routers. I still haven't gotten it resolved.
Oh no :o
Not what I wanted to hear as I can’t even get it going again with my old configuration

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Tue Feb 06, 2024 10:19 pm

Spent all night trying to get this going again. Rolled the firmware back and put back to SHA1 but still getting the TLS handshake errors with the old configuration that worked before.
Done a factory reset and put the latest firmware back on and set to SHA 256 with encryption cipher AES-128-CBC and brand new clean configuration file to put in openvpn client apps on both android and IOS but both still not connecting. Router log still showing TLS handshake error.
Can anyone shed some light to help resolve or would Merlin firmware be the way forward.
Don’t really wanna go the Merlin route as I have never used it but really need to get my openvpn server back running.
PLEASE HELP !!

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Thu Feb 08, 2024 1:18 pm

UPDATE for anyone else with a Asus RT-AC88U
I can confirm openvpn will work on this router using SHA256.
As per my previous posts I had tried to elimate dns issues and certificate forced renew but still couldn’t get the Asus to work with SHA256.
It was only when I reverted back to SHA1 and was getting the same TLS handshake error that I suspected a bug or corruption somewhere.
I did a factory reset of the router and installed the latest firmware from the Asus support page.
Reconfigured my DHCP/Static pool and wifi SSID
Configured my open vpn server to SHA256 with cipher AES-128-CBC applied the settings then exported the client file and hey presto worked on both IOS and Android devices.

I know it’s not the best solution to have to rebuild your router from scratch again but at least it works.
I can only assume that loading my old router configuration file after a factory reset was reintroducing the bug.

AWDSOME
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Thu Feb 08, 2024 2:56 pm

Interesting, glad to hear you got it working. I've got the RT-AC66U, which hasn't had new firmware released since August 2020. There's a newer beta version firmware which I might try... but given lack of support for this router I'm not sure I want to go down this road. But at this point I have nothing to lose but a router that isn't working with OpenVPN any more. ;)

I'll give this some time this weekend and see if I can follow your method and also get it operational. Thanks!

Post Reply