OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Support forum for Easy-RSA certificate management suite.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

ooounohu
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2023 9:29 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by ooounohu » Fri Dec 08, 2023 4:48 pm

This is the root cause of our experience (in my case, an ASUS RT-ACRH17 with 3.0.0.4.382_52517 firmware which includes OpenVPN 2.4.7 and OpenSSL 1.0.2u): default_md = md5 which resides in /etc/openssl.cnf.

Changing settings and regenerating keys within the GUI will not help the situation because OpenSSL will ALWAYS use MD5 for signatures.

Now on the hunt for a proper method to generate proper certs and keys.

The /etc/openssl.cnf file is write protected in this case so it's not as simple as adjusting the md5 to sha256 and regenerating keys and certs.

All of the Keys and Certification objects are stored as files on the router in /etc/openvpn/server1:
  • Certificate Authority: ca.crt
  • Server Certificate: server.crt
  • Server Key: server.key
  • Diffie Hellman parameters: dh.pem
I suspect there is a way to use the OpenSSL binaries within the router firmware to generate proper certs and keys so I'm going down that road first. If that doesn't work then I suspect another computer could be used to generate proper certs and keys. I assume they can be jammed into the "Content Modification of Keys & Certification" interface to allow the router to create a proper client.ovpn file OR jammed into the client.ovpn file post download.

This shouldn't be difficult. I just don't know OpenSSL well enough to do it at the moment.

usr
OpenVpn Newbie
Posts: 2
Joined: Thu Dec 28, 2023 7:49 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by usr » Thu Dec 28, 2023 8:20 pm

ooounohu wrote:
Fri Dec 08, 2023 4:48 pm
This is the root cause of our experience (in my case, an ASUS RT-ACRH17 with 3.0.0.4.382_52517 firmware which includes OpenVPN 2.4.7 and OpenSSL 1.0.2u): default_md = md5 which resides in /etc/openssl.cnf.
I have the same OpenVPN and OpenSSL versions on my ASUS RT-AC1300GPLUS.
I ran "openssl x509 -in ca.crt -noout -text | grep Signature" and I got the same Signature Algorithm: sha1WithRSAEncryption.

Did you make any progress on this, or find a workaround?

For your model specifically, you may be able to install openwrt which could help, it seems like your model is supported: https://openwrt.org/toh/hwdata/asus/asus_rt-ac42u

ooounohu
OpenVpn Newbie
Posts: 4
Joined: Wed Nov 29, 2023 9:29 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by ooounohu » Fri Jan 12, 2024 4:59 pm

usr wrote:
Thu Dec 28, 2023 8:20 pm
Did you make any progress on this, or find a workaround?

For your model specifically, you may be able to install openwrt which could help, it seems like your model is supported: https://openwrt.org/toh/hwdata/asus/asus_rt-ac42u
I have not spent any additional time/effort on it. I've somewhat landed on purchasing a new router with similar OpenVPN capabilities or just standing up a separate host. Not to ding OpenVPN in any way, I've also considered Tailscale as an alternative.

Thanks for the link to OpenWRT. I'll check it out as well.

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Mon Feb 05, 2024 10:44 pm

Verysecure wrote:
Fri Oct 20, 2023 11:08 am
I experienced the same. I'm using the OpenVPN server on my Asus router.
Not being an expert, this is what I did to revert it to a working situation again.
Note that it failed on my iOS device (v3.4.0) yet still work on the Windows client (v3.3.7). So, also the Windows client would fail as soon as there would be an update. There is actually a pretty clear Warning message still visible on Windows: "WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future". I had noted that before but ignored it... Up till now.

Steps to resolve using my Asus router as example:
On the Asus router
1. Change from SHA1 to SHA256
1a. Go to VPN / VPN Server / OpenVPN / VPN details: advanced / HMAC authentication: change to SHA256
1b. Click Apply
2 Renew the certificate
2a. Go to VPN / VPN Server / OpenVPN and click Renew Certification
3. Export a new 'OpenVPN configuration file'
3a. Go to VPN / VPN Server / OpenVPN and click Export OpenVPN configuration file
3b. Store the .ovpn file with some logical name
4. Optionally you can change the username and password for OpenVPN access, that should probably happen before you export the .ovpn file.
On the OpenVPN clients
1. Send the .ovpn config file to the client device
2. On the OpenVPN client program, suggest to delete the previous profile and install the new profile from the .ovpn file
2a. Process is a bit different for Windows (just upload the file to the Client) and iOS (send the .ovpn file by email, hard-delete email thereafter)

@others: please update/improve were needed!
I have the exact same router running firmware Version : 9.0.0.4.386_41994-g769f84f
Changed the to SHA256 but I cannot find Renew Certification.
Download a new configuration file and import to openvpn app on both iOS and android but still get the same insecure hash error so I guess the critical part is renew certificate which I cannot find if anyone can offer help ?

AWDSOME
OpenVpn Newbie
Posts: 7
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Tue Feb 06, 2024 6:42 pm

devbias wrote:
Mon Feb 05, 2024 10:44 pm
I have the exact same router running firmware Version : 9.0.0.4.386_41994-g769f84f
Changed the to SHA256 but I cannot find Renew Certification.
Download a new configuration file and import to openvpn app on both iOS and android but still get the same insecure hash error so I guess the critical part is renew certificate which I cannot find if anyone can offer help ?
It's earlier on in this thread, as I had the same issue....
ooounohu wrote:
Wed Nov 29, 2023 10:00 pm
I just deleted all of the content within, click "Apply", waited for the router to restart the service and build the new certs.
Still didn't solve this issue though. Seems like we're SOL with these older routers. I still haven't gotten it resolved.

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Tue Feb 06, 2024 7:14 pm

I have now managed to get the renew certification button with the latest firmware.
Set up as per verysecures post.
The insecure hash message has now gone on my openvpn client app but it never connects successfully. I read the log on my router and it reports TLS handshake error.
So I have gone from a vulnerable openvpn to nothing at all now :roll:

Does anyone have a screen shot of a working RT-AC88U I can compare the advanced settings

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Tue Feb 06, 2024 7:16 pm

AWDSOME wrote:
Tue Feb 06, 2024 6:42 pm
devbias wrote:
Mon Feb 05, 2024 10:44 pm
I have the exact same router running firmware Version : 9.0.0.4.386_41994-g769f84f
Changed the to SHA256 but I cannot find Renew Certification.
Download a new configuration file and import to openvpn app on both iOS and android but still get the same insecure hash error so I guess the critical part is renew certificate which I cannot find if anyone can offer help ?
It's earlier on in this thread, as I had the same issue....
ooounohu wrote:
Wed Nov 29, 2023 10:00 pm
I just deleted all of the content within, click "Apply", waited for the router to restart the service and build the new certs.
Still didn't solve this issue though. Seems like we're SOL with these older routers. I still haven't gotten it resolved.
Oh no :o
Not what I wanted to hear as I can’t even get it going again with my old configuration

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Tue Feb 06, 2024 10:19 pm

Spent all night trying to get this going again. Rolled the firmware back and put back to SHA1 but still getting the TLS handshake errors with the old configuration that worked before.
Done a factory reset and put the latest firmware back on and set to SHA 256 with encryption cipher AES-128-CBC and brand new clean configuration file to put in openvpn client apps on both android and IOS but both still not connecting. Router log still showing TLS handshake error.
Can anyone shed some light to help resolve or would Merlin firmware be the way forward.
Don’t really wanna go the Merlin route as I have never used it but really need to get my openvpn server back running.
PLEASE HELP !!

devbias
OpenVpn Newbie
Posts: 5
Joined: Mon Feb 05, 2024 10:35 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by devbias » Thu Feb 08, 2024 1:18 pm

UPDATE for anyone else with a Asus RT-AC88U
I can confirm openvpn will work on this router using SHA256.
As per my previous posts I had tried to elimate dns issues and certificate forced renew but still couldn’t get the Asus to work with SHA256.
It was only when I reverted back to SHA1 and was getting the same TLS handshake error that I suspected a bug or corruption somewhere.
I did a factory reset of the router and installed the latest firmware from the Asus support page.
Reconfigured my DHCP/Static pool and wifi SSID
Configured my open vpn server to SHA256 with cipher AES-128-CBC applied the settings then exported the client file and hey presto worked on both IOS and Android devices.

I know it’s not the best solution to have to rebuild your router from scratch again but at least it works.
I can only assume that loading my old router configuration file after a factory reset was reintroducing the bug.

AWDSOME
OpenVpn Newbie
Posts: 7
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Thu Feb 08, 2024 2:56 pm

Interesting, glad to hear you got it working. I've got the RT-AC66U, which hasn't had new firmware released since August 2020. There's a newer beta version firmware which I might try... but given lack of support for this router I'm not sure I want to go down this road. But at this point I have nothing to lose but a router that isn't working with OpenVPN any more. ;)

I'll give this some time this weekend and see if I can follow your method and also get it operational. Thanks!

nuraman00
OpenVpn Newbie
Posts: 7
Joined: Sat Dec 22, 2018 9:12 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by nuraman00 » Mon Mar 11, 2024 7:43 am

AWDSOME wrote:
Thu Feb 08, 2024 2:56 pm
Interesting, glad to hear you got it working. I've got the RT-AC66U, which hasn't had new firmware released since August 2020. There's a newer beta version firmware which I might try... but given lack of support for this router I'm not sure I want to go down this road. But at this point I have nothing to lose but a router that isn't working with OpenVPN any more. ;)

I'll give this some time this weekend and see if I can follow your method and also get it operational. Thanks!
Did you get it working with your router? What steps did you take?

I have an ASUS Rt-Ac86u. Was wondering what steps would work for this router.

AWDSOME
OpenVpn Newbie
Posts: 7
Joined: Sat Nov 04, 2023 5:30 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by AWDSOME » Mon Mar 11, 2024 12:34 pm

nuraman00 wrote:
Mon Mar 11, 2024 7:43 am
Did you get it working with your router?
Nope. I gave up and bought a new router a couple weeks ago. Got a Unifi UXG-Lite that supports Wireguard, it works great.

usr
OpenVpn Newbie
Posts: 2
Joined: Thu Dec 28, 2023 7:49 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by usr » Wed Mar 20, 2024 11:25 am

smit56 wrote:
Fri Mar 15, 2024 11:21 am
might lead one to question the security implications. They might wonder if it compromises data integrity or exposes vulnerabilities.
The security implications are pretty clear, the VPN server version that is installed on these routers is outdated, insecure and not user serviceable and you probably shouldn't use it. If you do, that's your decision.
smit56 wrote:
Fri Mar 15, 2024 11:21 am
Seeking clarification from OpenVPN support, reviewing recent updates or patches, and implementing recommended security measures could offer solutions to address this issue and ensure a secure VPN connection.
Why do you think OpenVPN is at fault here? If you want to seek clarification from anyone, it would be the router's manufacturer who doesn't provide an updated firmware with a newer OpenVPN server. Even then, these are pretty old, consumer grade devices, I think it's reasonable to say it's out of scope of support at this point to update all the old routers with new firmware as this would take lots of resources to develop and test.

I suggest buying a device that lets you install your own router OS like openwrt - then you have full control over your router and can install or update whatever you want; or run the VPN server on another machine on your network like a server, or a raspberry pi.

nuraman00
OpenVpn Newbie
Posts: 7
Joined: Sat Dec 22, 2018 9:12 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by nuraman00 » Sat Mar 23, 2024 1:31 am

Verysecure wrote:
Fri Oct 20, 2023 11:08 am
I experienced the same. I'm using the OpenVPN server on my Asus router.
Not being an expert, this is what I did to revert it to a working situation again.
Note that it failed on my iOS device (v3.4.0) yet still work on the Windows client (v3.3.7). So, also the Windows client would fail as soon as there would be an update. There is actually a pretty clear Warning message still visible on Windows: "WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future". I had noted that before but ignored it... Up till now.

Steps to resolve using my Asus router as example:
On the Asus router
1. Change from SHA1 to SHA256
1a. Go to VPN / VPN Server / OpenVPN / VPN details: advanced / HMAC authentication: change to SHA256
1b. Click Apply
2 Renew the certificate
2a. Go to VPN / VPN Server / OpenVPN and click Renew Certification
3. Export a new 'OpenVPN configuration file'
3a. Go to VPN / VPN Server / OpenVPN and click Export OpenVPN configuration file
3b. Store the .ovpn file with some logical name
4. Optionally you can change the username and password for OpenVPN access, that should probably happen before you export the .ovpn file.
On the OpenVPN clients
1. Send the .ovpn config file to the client device
2. On the OpenVPN client program, suggest to delete the previous profile and install the new profile from the .ovpn file
2a. Process is a bit different for Windows (just upload the file to the Client) and iOS (send the .ovpn file by email, hard-delete email thereafter)

@others: please update/improve were needed!
I don't see a step for step 2A to renew certification.

Here's a screen shot:

https://i.imgur.com/LSRDK5b.png

Other than that, I did the rest of the steps.

I deleted and re-added a user name and password, as shown in the screen shot at the bottom.

I exported the .ovpn file. I sent it to the clients.

I imported the .ovpn file via Open VPN. I still get the error about it being an insecure CA signature.

Here's a screen shot of my advanced settings. Do I need to change the encryption cipher?

https://i.imgur.com/WxQDXqB.png

nuraman00
OpenVpn Newbie
Posts: 7
Joined: Sat Dec 22, 2018 9:12 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by nuraman00 » Sat Mar 23, 2024 1:33 am

I am on an ASUS RT-AC86U. Firmware 3.0.0.4.384_21045.

I tried updating to the latest firmware. When I do check for update, it says it can't connect to the Asus server. When I download the firmware manually and try importing, the router can't update the firmware.

nuraman00
OpenVpn Newbie
Posts: 7
Joined: Sat Dec 22, 2018 9:12 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by nuraman00 » Sat Mar 23, 2024 1:57 am

Just to make sure I understand correctly, the user name and password I enter at the bottom of here:

https://i.imgur.com/LSRDK5b.png

Is the same that I enter when I upload my .ovpn file to my Android client, correct? After I upload my profile file, it asks me to enter a user name and password. I enter the same one that I had done on that router vpn server config screen, correct?

nuraman00
OpenVpn Newbie
Posts: 7
Joined: Sat Dec 22, 2018 9:12 pm

Re: OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

Post by nuraman00 » Sat Mar 23, 2024 7:52 am

devbias wrote:
Thu Feb 08, 2024 1:18 pm
UPDATE for anyone else with a Asus RT-AC88U
I can confirm openvpn will work on this router using SHA256.
As per my previous posts I had tried to elimate dns issues and certificate forced renew but still couldn’t get the Asus to work with SHA256.
It was only when I reverted back to SHA1 and was getting the same TLS handshake error that I suspected a bug or corruption somewhere.
I did a factory reset of the router and installed the latest firmware from the Asus support page.
Reconfigured my DHCP/Static pool and wifi SSID
Configured my open vpn server to SHA256 with cipher AES-128-CBC applied the settings then exported the client file and hey presto worked on both IOS and Android devices.

I know it’s not the best solution to have to rebuild your router from scratch again but at least it works.
I can only assume that loading my old router configuration file after a factory reset was reintroducing the bug.
How did you regenerate the certificate?

I also tried installing the latest firmware, but would get an error.

Post Reply