[openssl-users] ca md too weak

Jan Just Keijser janjust at nikhef.nl
Fri Oct 6 15:49:28 UTC 2017


Hi,

On 06/10/17 17:26, Fabrice Delente wrote:
> Hello,
>
> Until two days ago I used OpenVPN to connect to my workplace, on a
> non-security sensitive tunnel (just for convenience).
>
> However, OpenSSL updated on my machine (Fedora 26), and now the
> certificate is rejected:
>
> Fri Oct  6 17:25:06 2017 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL
> (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on
> Sep 26 2017
> Fri Oct  6 17:25:06 2017 library versions: OpenSSL 1.1.0f-fips  25 May
> 2017, LZO 2.08
> Fri Oct  6 17:25:06 2017 OpenSSL: error:140AB18E:SSL
> routines:SSL_CTX_use_certificate:ca md too weak
> Fri Oct  6 17:25:06 2017 Cannot load certificate file lcs/delentef.crt
> Fri Oct  6 17:25:06 2017 Exiting due to fatal error
>
> What solutions are there to this problem? Can I configure OpenSSL to
> accept this certificate after all?
>
>
it's not openssl that changed, it's the way openvpn is built on Fedora:
- openvpn 2.4.3 was built and linked against openssl 1.0 , which 
supports MD5 signed certs
- openvpn 2.4.4 was built and linked against openssl 1.1, which does not

Best solution:
- upgrade your CA to use something that's actually secure
Second best:
- downgrade openvpn to 2.4.3 (and get openssl 1.0 support back).

HTH,

JJK



More information about the openssl-users mailing list