Work with client 2.4.6 "md certificates too weak"

Scripts to manage certificates or generate config files
Post Reply
a_roman
OpenVpn Newbie
Posts: 6
Joined: Mon Sep 03, 2018 1:28 pm

Work with client 2.4.6 "md certificates too weak"

Post by a_roman » Mon Sep 03, 2018 1:31 pm

became available version of the client 2,4,6. on it produces an error: "md certificates too weak"
Tell me what to do about it.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5002
Joined: Fri Jun 03, 2016 1:17 pm

Re: Work with client 2.4.6

Post by TinCanTech » Mon Sep 03, 2018 1:38 pm

You need to create a new PKI.

https://github.com/OpenVPN/easy-rsa/releases

novaflash
I should be on the dev team.
Posts: 752
Joined: Fri Apr 13, 2012 8:43 pm

Re: Work with client 2.4.6

Post by novaflash » Mon Sep 03, 2018 1:38 pm

You should get stronger certificates. The MD5 signed certificates are so weak it is a security risk. We've given people a very long time to warn them about this and to migrate away to a proper implementation, but now we're reaching a point where we're protecting people from insecure connections.

a_roman
OpenVpn Newbie
Posts: 6
Joined: Mon Sep 03, 2018 1:28 pm

Re: Work with client 2.4.6

Post by a_roman » Mon Sep 03, 2018 1:50 pm

What actions should I take to do this?
Creating a new PKI implies a new server?
Can I support old clients with md5 certificates and a new pki?
Last edited by a_roman on Mon Sep 03, 2018 2:00 pm, edited 2 times in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5002
Joined: Fri Jun 03, 2016 1:17 pm

Re: Work with client 2.4.6

Post by TinCanTech » Mon Sep 03, 2018 1:57 pm

a_roman wrote:
Mon Sep 03, 2018 1:50 pm
What actions should I take to do this?
Read the EasyRSA help.
a_roman wrote:
Mon Sep 03, 2018 1:50 pm
Creating a new PKI implies a new server?
No .. a new PKI is new CA, certificates and keys of the current server and all clients.
a_roman wrote:
Mon Sep 03, 2018 1:50 pm
Can I support old clients with md5 certificates and a new pki?
No! and you don't want to either.

Note:
novaflash wrote:
Mon Sep 03, 2018 1:38 pm
The MD5 signed certificates are so weak it is a security risk. We've given people a very long time to warn them about this and to migrate away to a proper implementation, but now we're reaching a point where we're protecting people from insecure connections.
You have had enough time.

You can still use MD5 but you may as well not use a VPN at all if you do because you will have NO security and be open to attack.

a_roman
OpenVpn Newbie
Posts: 6
Joined: Mon Sep 03, 2018 1:28 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by a_roman » Mon Sep 03, 2018 2:00 pm

And another question. Are there any dependencies when updating the release from 14 to 18?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5002
Joined: Fri Jun 03, 2016 1:17 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by TinCanTech » Mon Sep 03, 2018 2:03 pm

a_roman wrote:
Mon Sep 03, 2018 2:00 pm
release from 14 to 18
of what ?

a_roman
OpenVpn Newbie
Posts: 6
Joined: Mon Sep 03, 2018 1:28 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by a_roman » Mon Sep 03, 2018 2:04 pm

My mistake. I'm sorry. Upgrade Ubuntu Linux 14 to 18.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5002
Joined: Fri Jun 03, 2016 1:17 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by TinCanTech » Mon Sep 03, 2018 2:10 pm

I presume you mean upgrade Linux 4.14 to 4.18 ..

Or maybe .. you mean Ubuntu 14.04 to 18.04

I don't think there are any complicated dependencies related to Openvpn.

You may find these repos more upto date:
https://community.openvpn.net/openvpn/w ... twareRepos

a_roman
OpenVpn Newbie
Posts: 6
Joined: Mon Sep 03, 2018 1:28 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by a_roman » Mon Sep 03, 2018 2:20 pm

I mean from 14.04 to 18.04.

a_roman
OpenVpn Newbie
Posts: 6
Joined: Mon Sep 03, 2018 1:28 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by a_roman » Tue Sep 04, 2018 8:47 am

Our Openvpn is used under the control of webmin. Can I create through it another CA next to the old one?
And then gradually transfer the old customers to a new СA?
Is it possible to use the old configuration parameters from /openvpn-ssl.cnf?
Will two CAs work simultaneously??

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5002
Joined: Fri Jun 03, 2016 1:17 pm

Re: Work with client 2.4.6 "md certificates too weak"

Post by TinCanTech » Tue Sep 04, 2018 11:12 am

a_roman wrote:
Tue Sep 04, 2018 8:47 am
Our Openvpn is used under the control of webmin
You still use EasyRSA and then upload the files, taking the webmin out of the way. (Should work but may not)
a_roman wrote:
Tue Sep 04, 2018 8:47 am
Can I create through it another CA next to the old one?
And then gradually transfer the old customers to a new СA?
Yes. You have customers then you should know and understand this by now!
a_roman wrote:
Tue Sep 04, 2018 8:47 am
Is it possible to use the old configuration parameters from /openvpn-ssl.cnf?
I don't know but probably not. Because that would be with your webmin and that is out of date.
a_roman wrote:
Tue Sep 04, 2018 8:47 am
Will two CAs work simultaneously??
You can stack them but the MD5 certs will still be rejected because of security.

If you want to contact me privately : tincanteksup <at> gmail

Post Reply