[openssl-users] Workaround for "SSL_CTX_use_certificate:ca md too weak"

pratyush parimal pratyush.parimal at gmail.com
Wed Apr 4 17:32:18 UTC 2018


Hi everyone,

I'm upgrading a server application from using OpenSSL 1.0.2n to using
OpenSSL 1.1.0g.
I noticed that after the upgrade, some SSL certs get rejected because they
use an MD5 digest, with the error:
"SSL_CTX_use_certificate:ca md too weak"

While I could ask clients to get a better CA certificate, it takes some of
them a long time to do so. I was wondering if there's a way I could
compile/configure the OpenSSL on my server to accept those certificates
after all. Does anyone know?

I found links such as:
https://mta.openssl.org/pipermail/openssl-users/2017-October/006670.html
and
https://www.spinics.net/lists/openssl-users/msg06669.html
and a few others but they don't apply to my case I think.

Also, if the client does find it possible to get re-generated certs, would
it be both the client cert and the CA? Or just one of them?

Thanks in advance!
Best,
Pratyush
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180404/32669bdc/attachment.html>


More information about the openssl-users mailing list