OpenVPN Connect 3.4.0.3121 get insecure hash algorithm in CA signature error

[jack07]

I had ASUS Blue Cave of a router with RSA 2048 bit of OpenVPN.
When I upgraded OpenVPN Connect from 3.3.7 to 3.4 will get a error with connect.
"You are using insecure hash algorithm in CA signature.
Please regenerate CA with other hash algorithm"
When I unistall OpenVPN and install OpenVPN Connect 3.3.7. Everything is work fine.
Anyone, does any idea how to fix this problem?

[openvpn_inc]

Hello,

Security is something that changes over time. What was considered secure and uncrackable 10 years ago may have been revealed to have some exploit or flaw that makes it less secure now. For example at one point in time MD5 hashing was considered secure. Now it is considered weak. Why? Mainly because computing equipment has become much faster at calculating hashes than it was in the past but also because it's not a very strong hashing method. SHA256 and such replaced it.

Newer OpenVPN client software will check for things that are no longer considered secure and will warn you about it. Warnings eventually turn into hard failures as people continue to use it while ignoring warnings. You've reached this point. It is very likely that you're using MD5 hash for the signature in the CA you're currently using. It is very strongly advised that you solve this.

There is the option to go into the OpenVPN Connect settings and set the security level to its lowest possible setting. Things might then still work but you're basically on borrowed time already. You should act and fix this.

Check with ASUS is there have a newer firmware that can generate a CA that has a better signature hash method like SHA256 or such. Or see if you can upload your own. Or if this device is really old, replace it with something newer that does do signature hashing with a more secure method.

Or, you can stick your head in the ground and pretend to be an ostrich and just ignore the hell out of this and install an older version of the software and gamble with the security of your VPN solution. Ultimately the choice is yours.

Good luck,
Johan

[robertjm]

I'm a little confused on this one.

I'm running an M2 Macbook Air using v3.4.2, and it's connecting just fine. But, I tried setting up our accountant's M1 MacBook Pro and it's getting the insecure hash algothrithm message.

In both cases I am using the same OpenVPN configuration file for the connection; which was generated on an M1 Mac Mini computer.

Where is this hash being generated which is screwing up the M1 installation?

Robert

[openvpn_inc]

Hello robertjm,

In a nutshell, whoever or whatever has set up your VPN server had to have generated the certificates. And they were created with an insecure algorithm. You're basically in a situation where your certificates are currently not secure and you should replace them.

Alternatively you can look in the options of OpenVPN Connect and set the security level to a lower setting. That may make it work again for now, but eventually that won't work anymore either with future releases. That's because eventually the underlying library that does the certificate checking will remove support for such an old algorithm. It's just a matter of time.

You could also dig around for an older version of the client, but then you don't get software updates on that and the problem still exists. So it's better to look into replacing those certs. And it would have to be done on the server side and then clients also need a new set of key and cert.

Good luck,
Johan

[robertjm]

Thanks!

I set the server up a couple of years ago. It's on a Late 2012 Mac Mini, so think the max. O/S it can run is macOS Catalina.

But, I'm still not understanding why I'm able to connect using my M2 MacBook Air using the exact same config which bombed out on accountant's M1 MacBook Pro. I wouldn't have dumbed down the security to get mine working. At least I sure don't remember doing that.

I'll have to remote into the server later tonight and look over the settings.

Robert

Hello robertjm,

In a nutshell, whoever or whatever has set up your VPN server had to have generated the certificates. And they were created with an insecure algorithm. You're basically in a situation where your certificates are currently not secure and you should replace them...

[AI_1]

Have you solved the issue?

I have almost exactly the same
One M1 MacBook Air works well with the VPN profile
while another M1 Max MacBook shows the error message.

I'm totally puzzled.

But, I'm still not understanding why I'm able to connect using my M2 MacBook Air using the exact same config which bombed out on accountant's M1 MacBook Pro. I wouldn't have dumbed down the security to get mine working. At least I sure don't remember doing that.

I'll have to remote into the server later tonight and look over the settings.

Robert

Hello robertjm,

In a nutshell, whoever or whatever has set up your VPN server had to have generated the certificates. And they were created with an insecure algorithm. You're basically in a situation where your certificates are currently not secure and you should replace them...

[robertjm]

Unfortunately I haven't been able to get the user's personal computer back to try and work on it again.

[robertjm]

Unfortunately, I haven't had a chance to get the user's laptop back to try and work on it again. But, I need to in the next few days.

Robert

Have you solved the issue?

I have almost exactly the same
One M1 MacBook Air works well with the VPN profile
while another M1 Max MacBook shows the error message.

I'm totally puzzled.

[Verysecure]

I experienced the same. I'm using the OpenVPN server on my Asus router.
Not being an expert, this is what I did to revert it to a working situation again.
Note that it failed on my iOS device (v3.4.0) yet still work on the Windows client (v3.3.7). So, also the Windows client would fail as soon as there would be an update. There is actually a pretty clear Warning message still visible on Windows: "WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future". I had noted that before but ignored it... Up till now.

Steps to resolve using my Asus router as example:
On the Asus router
1. Change from SHA1 to SHA256
1a. Go to VPN / VPN Server / OpenVPN / VPN details: advanced / HMAC authentication: change to SHA256
1b. Click Apply
2 Renew the certificate
2a. Go to VPN / VPN Server / OpenVPN and click Renew Certification
3. Export a new 'OpenVPN configuration file'
3a. Go to VPN / VPN Server / OpenVPN and click Export OpenVPN configuration file
3b. Store the .ovpn file with some logical name
4. Optionally you can change the username and password for OpenVPN access, that should probably happen before you export the .ovpn file.
On the OpenVPN clients
1. Send the .ovpn config file to the client device
2. On the OpenVPN client program, suggest to delete the previous profile and install the new profile from the .ovpn file
2a. Process is a bit different for Windows (just upload the file to the Client) and iOS (send the .ovpn file by email, hard-delete email thereafter)

@others: please update/improve were needed!

[AWDSOME]

Thanks for these instructions, I'm having the same issue. I followed them, but I do not have the option to "Renew Certification". I think this is still my outstanding issue even though I cranked up the settings as follows from the configure file:

Code: Select all

remote mydomain.com 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30
comp-lzo adaptive
auth-user-pass
client
auth SHA256
cipher AES-256-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...

Any suggestions on how to generate the cert if that is my issue? Can I use RSA 2048 via PuttyGen? I can manually alter it in the ASUS config, but not generate. Thanks in advance.

[AWDSOME]

Ugh... I was able to regenerate the certificates on the Asus router. I needed to stop the service from running, blow out the certs, and then start the service again and it created them with the new parameters.... however, I'm still getting the error in OpenVPN.

Thoughts based on the above config?

[Andy90]

I have the same issue, two months ago this was work, right now not -
I change algorithm to SHA256,delete all keys in cert configuration, restart service to generate new certs, but I still have the same issue.
Which router you have ? My is Asus RT-AC1750U

[Andy90]

I solved this. I've installed the Open VPN GUI, and in profile file .ovpn I've added on end of lines this script

tls-cipher "DEFAULT:@SECLEVEL=0"

right now my connection works well.

[openvpn_inc]

Hello Andy90,

Those settings basically set back the security level of OpenSSL to a much lower level, allowing known insecure certificates and settings to be used again. I would not call that solving the issue, I would call that working around it, maybe even ignoring it.

If you're happy to live with this, then okay. Just be aware that in the future it may not even be possible to do this trick anymore as eventually known insecure methods may get removed entirely. Consider this the right moment to invest some time into figuring out if your existing device can be configured to use something secure, or replace the device with something newer that uses something secure.

I felt like I had to clarify that for visitors of this forum.

Good luck,
Johan

[TrowbridgeNick]

If it helps anyone else, I was having trouble with the 'Renew Certification' stage above, but upgraded the router firmware and the option to renew then became available.

[Verysecure]

On renewing the certificate as mentioned in my post earlier: this was on an Asus RT-AC88U router running (the most recent) 3.0.0.4.386_48260 firmware. As far as I recall, no special steps needed to renew the certificate. Apologies for not being able to be more specific.

[AWDSOME]

I still can't figure this out. I'm running an ASUS RT-AC66U Router.

@openvpn_inc - Do you see anything insecure with the config I posted above on Nov 4th? I don't... so really lost where to go from here.

Thanks.

[ooounohu]

Also experiencing this behavior with iOS app 3.4.1.5463 and ASUS RT-ACRH17 3.0.0.4.382_52517-gb4d36a6.

I know the router and its firmware is older. There are no updates for this model. OpenVPN is version 2.4.7 and OpenSSL is version 1.0.2u. At least, that's what I've gleaned from the system log available in the router GUI.

There is no "Renew Certificates" button but I believe I have successfully renewed them via the "Content modification of Keys & Certification." link in the VPN GUI configuration. I just deleted all of the content within, click "Apply", waited for the router to restart the service and build the new certs.

Unfortunately, like others have reported here, that has not resolved the behavior. The iOS client still complains about the CA signature.

Next, I pulled the certs out of the generated .opvn file and found that the CA and server certs are using a signature algorithm of "SHA1 with RSA" despite the router GUI configuration using nothing but SHA 256 for all applicable settings. Honestly, I don't know if this is the cause of the behavior or not.

Code: Select all

$ openssl x509 -in ca.crt -noout -text | grep Signature
Signature Algorithm: sha1WithRSAEncryption

Here is what I believe to be the OpenVPN configuration file generated by the GUI:

Code: Select all

# Automatically generated configuration

# Tunnel options
proto udp4
multihome
port 1194
dev tun21
sndbuf 0
rcvbuf 0
keepalive 10 30
up '/etc/openvpn/ovpn-up'
down '/etc/openvpn/ovpn-down'
setenv ovpn_type 0
setenv unit 1
script-security 2
daemon vpnserver1
verb 3
status-version 2
status status 10
comp-lzo adaptive
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn

# Server Mode
server 10.8.0.0 255.255.255.0
client-config-dir ccd
client-to-client
duplicate-cn
push "route 192.168.1.0 255.255.255.0 vpn_gateway 500"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"

# Data Channel Encryption Options
auth SHA256
cipher AES-256-CBC

# TLS Mode Options
ca ca.crt
dh dh.pem
cert server.crt
key server.key

The OpenVPN states the OpenSSL library is capable of the following TLS ciphers but I'll note that the ciphers available in the GUI are limited to only the CBC variants:

Code: Select all

# openvpn --show-tls
Available TLS Ciphers, listed in order of preference:

For TLS 1.2 and older (--tls-cipher):

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

At this point, I feel I've learned enough to be dangerous but I really don't know if anything I'm theorizing is accurate. So, I'm not sure where to go from here. I would like to continue to use the OpenVPN server available in my ASUS router without decreasing the security setting within the newer client.

[AWDSOME]

Next, I pulled the certs out of the generated .opvn file and found that the CA and server certs are using a signature algorithm of "SHA1 with RSA" despite the router GUI configuration using nothing but SHA 256 for all applicable settings. Honestly, I don't know if this is the cause of the behavior or not.

That's a good find. I wonder if this is a case of our routers not producing the right algorithm. But I'm in the same boat as you, my router hasn't had an update in years.

At this point, I feel I've learned enough to be dangerous but I really don't know if anything I'm theorizing is accurate. So, I'm not sure where to go from here. I would like to continue to use the OpenVPN server available in my ASUS router without decreasing the security setting within the newer client.

Same here. OpenVPN Support - Can you please check over and verify that our configs look as expected? We could also send you our keys (privately) to verify they would be okay or not.

[ooounohu]

Same here. OpenVPN Support - Can you please check over and verify that our configs look as expected? We could also send you our keys (privately) to verify they would be okay or not.

With no offence slung toward the excellent heroes in this OpenVPN Community Support Forum, I suspect we're either:

1. In the wrong section as our experience is actually caused by the OpenVPN server embedded in our routers.
2. On our own to support our aged OpenVPN server embedded in our routers.
3. All of the above.