ca md too weak

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ca md too weak

Fabrice Delente
Hello,

Until two days ago I used OpenVPN to connect to my workplace, on a
non-security sensitive tunnel (just for convenience).

However, OpenSSL updated on my machine (Fedora 26), and now the
certificate is rejected:

Fri Oct  6 17:25:06 2017 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on
Sep 26 2017
Fri Oct  6 17:25:06 2017 library versions: OpenSSL 1.1.0f-fips  25 May
2017, LZO 2.08
Fri Oct  6 17:25:06 2017 OpenSSL: error:140AB18E:SSL
routines:SSL_CTX_use_certificate:ca md too weak
Fri Oct  6 17:25:06 2017 Cannot load certificate file lcs/delentef.crt
Fri Oct  6 17:25:06 2017 Exiting due to fatal error

What solutions are there to this problem? Can I configure OpenSSL to
accept this certificate after all?

Thanks.

F. Delente
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ca md too weak

Jeffrey Walton-3
> Until two days ago I used OpenVPN to connect to my workplace, on a
> non-security sensitive tunnel (just for convenience).
>
> However, OpenSSL updated on my machine (Fedora 26), and now the
> certificate is rejected:
>
> ...
> routines:SSL_CTX_use_certificate:ca md too weak
> Fri Oct  6 17:25:06 2017 Cannot load certificate file lcs/delentef.crt
> Fri Oct  6 17:25:06 2017 Exiting due to fatal error
>
> What solutions are there to this problem? Can I configure OpenSSL to
> accept this certificate after all?

https://fedoraproject.org/wiki/Changes/CryptoPolicy

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ca md too weak

Jan Just Keijser-2
In reply to this post by Fabrice Delente
Hi,

On 06/10/17 17:26, Fabrice Delente wrote:

> Hello,
>
> Until two days ago I used OpenVPN to connect to my workplace, on a
> non-security sensitive tunnel (just for convenience).
>
> However, OpenSSL updated on my machine (Fedora 26), and now the
> certificate is rejected:
>
> Fri Oct  6 17:25:06 2017 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL
> (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on
> Sep 26 2017
> Fri Oct  6 17:25:06 2017 library versions: OpenSSL 1.1.0f-fips  25 May
> 2017, LZO 2.08
> Fri Oct  6 17:25:06 2017 OpenSSL: error:140AB18E:SSL
> routines:SSL_CTX_use_certificate:ca md too weak
> Fri Oct  6 17:25:06 2017 Cannot load certificate file lcs/delentef.crt
> Fri Oct  6 17:25:06 2017 Exiting due to fatal error
>
> What solutions are there to this problem? Can I configure OpenSSL to
> accept this certificate after all?
>
>
it's not openssl that changed, it's the way openvpn is built on Fedora:
- openvpn 2.4.3 was built and linked against openssl 1.0 , which
supports MD5 signed certs
- openvpn 2.4.4 was built and linked against openssl 1.1, which does not

Best solution:
- upgrade your CA to use something that's actually secure
Second best:
- downgrade openvpn to 2.4.3 (and get openssl 1.0 support back).

HTH,

JJK

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ca md too weak

Fabrice Delente
OK, I understand, thanks for your answer! I'll look into building
openvpn 2.4.3 from source.

F. Delente
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ca md too weak

Jeffrey Walton-3
On Fri, Oct 6, 2017 at 12:22 PM, Fabrice Delente <[hidden email]> wrote:
> OK, I understand, thanks for your answer! I'll look into building
> openvpn 2.4.3 from source.

I believe you only have to set Fedora's security policy to allow MD5.
That is covered in the Fedora wiki page you were provided.

There's no need to download and build a new OpenSSL and OpenVPN.
However, if you to take that path, then see
https://stackoverflow.com/q/38985889/608639.

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ca md too weak

Fabrice Delente
Thanks for your answer too, I had already seen this wiki page before
posting but I didn't find in it any info on how to do that; I'll look
into it again and try harder then.

F. Delente
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users