Changing "default_md" from md5 to sha256

Scripts to manage certificates or generate config files
Post Reply
nerone
OpenVpn Newbie
Posts: 3
Joined: Tue Oct 11, 2016 2:16 pm

Changing "default_md" from md5 to sha256

Post by nerone » Mon Feb 03, 2020 1:39 pm

Hello everybody,
in our openvpn environment we're still having the issue with the error "SSL_CTX_use_certificate:ca md too weak", we continue working only distributing old version of client setup.
In order to solve, i've tried the solution to change "default_md" from md5 to sha256 on the server where we generate the certificates. After that, if i try to connect with a newer client i don't receive anymore the error "SSL_CTX_use_certificate:ca md too weak" but the client isn't connecting with the following errors:
Mon Feb 03 12:16:17 2020 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Feb 03 12:16:17 2020 UDP link local: (not bound)
Mon Feb 03 12:16:17 2020 UDP link remote: [AF_INET]x.x.x.x:1194
Mon Feb 03 12:16:17 2020 MANAGEMENT: >STATE:1580728577,WAIT,,,,,,
Mon Feb 03 12:16:17 2020 MANAGEMENT: >STATE:1580728577,AUTH,,,,,,
Mon Feb 03 12:16:17 2020 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=a1ad1b3c 4452d74f
Mon Feb 03 12:16:17 2020 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: -etc-
Mon Feb 03 12:16:17 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Feb 03 12:16:17 2020 TLS_ERROR: BIO read tls_read_plaintext error
Mon Feb 03 12:16:17 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Feb 03 12:16:17 2020 TLS Error: TLS handshake failed
Mon Feb 03 12:16:17 2020 SIGUSR1[soft,tls-error] received, process restarting
Mon Feb 03 12:16:17 2020 MANAGEMENT: >STATE:1580728577,RECONNECTING,tls-error,,,,,
Mon Feb 03 12:16:17 2020 Restart pause, 5 second(s)
Mon Feb 03 12:16:18 2020 SIGTERM[hard,init_instance] received, process exiting
Mon Feb 03 12:16:18 2020 MANAGEMENT: >STATE:1580728578,EXITING,init_instance,,,,,
I didn't change anything on the openvpn server side. I really would like to be able to solve the problem without reissuing hundreds certificates..
Do you have any idea?

Many thanks in advance....

Post Reply