Workaround for "SSL_CTX_use_certificate:ca md too weak"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Workaround for "SSL_CTX_use_certificate:ca md too weak"

pratyush parimal
Hi everyone,

I'm upgrading a server application from using OpenSSL 1.0.2n to using OpenSSL 1.1.0g.
I noticed that after the upgrade, some SSL certs get rejected because they use an MD5 digest, with the error:
"SSL_CTX_use_certificate:ca md too weak"

While I could ask clients to get a better CA certificate, it takes some of them a long time to do so. I was wondering if there's a way I could compile/configure the OpenSSL on my server to accept those certificates after all. Does anyone know?

I found links such as:
and
and a few others but they don't apply to my case I think.

Also, if the client does find it possible to get re-generated certs, would it be both the client cert and the CA? Or just one of them?

Thanks in advance!
Best,
Pratyush

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Workaround for "SSL_CTX_use_certificate:ca md too weak"

OpenSSL - User mailing list

You need to change your server config (however it is done), so that it gets @SECLEVEL=0 into the cipher string.  See the ciphers manpage for description of security levels.

 

You can also edit openssl source and rebuild/relink, but that shouldn’t be necessary.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users