"insecure hash algorithm…" after 3.4 update…

[MacVador]

Hi,
we use sometime OpenVPN to connect to our Stormshield (NetASQ) firewall appliance and it worked great. Nevertheless, after upgrading from 3.3.x to 3.4 version, we cannot connect anymore. The error message is "You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm"…
The first problem is that we have no options to select a specific hash algorithm on the appliance, but more, I investigated this specific CA and the reply of openssl is "sha1WithRSAEncryption". The only info I have seen in troubleshooting is about MD5.
So any help or ideas would be appreciated…

PS: I have tried to reimport openvpn config file from the firewall without results. The error is shown only when connection is asked, not for import of profile.
PS2: I see that in the logs "EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]

[Halog]

Hello,

we have the same problem.
We have a device with the older Version 3.3. It is still working fine.
On another device run the Version 3.4. There is the same problem as MacVador wrote.

Is there any work around to fix it?

Thanks for helping

[esahc]

I am having the same issue with receiving the 'insecure hash algorithm in CA signature'

device running new version 3.4, was working just fine on 3.3

I've upgraded the firmware on my router to the latest version, exported and installed new profile, and get this message when I try to connect.

There has to be a fix for this right?

[MacVador]

"Happy" to see that I am not alone in the Universe… But sad to see that no solution nor workaround proposed…

[MacVador]

In my case, selection in settings/advanced settings for insecure authorisations has done the job.

[openvpn_inc]

Hello guys,

The real problem is that certificates are being used that are using a very weak signature. The error message here shows the problem:

EVENT: SSL_CA_MD_TOOWEAK OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routine::ca md too weak [ERR]

This means a too weak signature is used on the CA certificate. This is no longer secure and you are being correctly warned about this. MD5 is very weak and considered severely compromised.

I would suggest to contact the manufacturer of this device and ask them to look into and solve this so that any CAs or certificates generated by this device are using SHA256 or such for the signature.

If the client you're using is OpenVPN Connect v3.4 there is an option to still allow lower level security settings. But obviously this is not a good idea. Yes, it will work again, but the underlying problem is not solved. This will buy time for the underlying problem to be solved.

Kind regards,
Johan

[LucG]

Hello guys,

I have the same issue,
I change algorithm to SHA1 or SHA256,delete all keys in cert configuration, restart service to generate new certs, but I still have the same issue.
My is Asus router RT-AC66U -firmware 3.0.0.4.382.52287

remote xxxx.asuscomm.com 1194
float
nobind
proto udp
dev tun
sndbuf 0
rcvbuf 0
keepalive 10 30

# for OpenVPN 2.4 or older
comp-lzo yes
# for OpenVPN 2.4 or newer
;compress lzo

auth-user-pass
client
auth SHA1
cipher AES-128-CBC
remote-cert-tls server
<ca>

[becm]

Whatever comes after <ca> will likely still refer to a MD5-signed CA (given that exact error).