Page 1 of 1
Re: openvpn community client - what changed with 2.6.0?
Posted: Tue Aug 15, 2023 9:55 pm
by becm
The OpenSSL version changed form v1.1.x to v3.x, which has much stricter requirements for certificates (by default).
As written in the error message, the (server I think?) certificate CA is rejected for having a weak signature (MD5, SHA1).
Re: openvpn community client - what changed with 2.6.0?
Posted: Tue Aug 22, 2023 2:54 am
by openvpn_inc
Hello becm,
The switch from OpenSSL 1 to 3 brings along with it all the changes in security posture that OpenSSL 3 brings. There are still ways to override default security settings to allow older less secure methods to be used, but this is not advisable.
For more information you can check release notes of OpenSSL 3 and see what changes there were.
If you use MD5 or SHA1 for your CA signing, you may be able to get things working with some settings to tell OpenSSL to ignore stuff and implement legacy methods. But generally that is not advisable. That's basically just ignoring the problem instead of solving it by going to a CA with SHA256 for example.
OpenVPN Connect for example has the concept of security level. In the configuration you can then set it to the lowest possible security setting to still allow certain older security methods to be used, although that is not advisable.
Kind regards,
Johan