FS#53831 : [networkmanager-openvpn] OpenSSL / ca md too weak

FS#53831 - [networkmanager-openvpn] OpenSSL / ca md too weak

Attached to Project: Arch Linux
Opened by Peter Reschenhofer (petres) - Tuesday, 25 April 2017, 20:31 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 26 April 2017, 16:03 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	7 Kumi Namoya (kuminamoya) (2017-05-08) Peter Weber (hoschi) (2017-05-04) Francisco Pina (Stunts) (2017-04-26) Stefan Auditor (sanduhrs) (2017-04-26) Peter Reschenhofer (petres) (2017-04-26) muted (muted) (2017-04-26) Mark Gallagher (MarkG) (2017-04-25)
Private	No

Details

Description:
After upgrading my system today - now openssl 1.1.0.e is used - I get the
error:

OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

when I try to connect to an VPN network. Differ the requirements for the
certificates from the old ones?

Additional info:
* package version(s)
* config and/or log files etc.

Steps to reproduce:

This task depends upon

Closed by Doug Newgard (Scimmia)
Wednesday, 26 April 2017, 16:03 GMT
Reason for closing: Not a bug
Additional comments about closing: See JGC's comments

Comment by Mark Gallagher (MarkG) - Tuesday, 25 April 2017, 22:25 GMT

I experienced the same issue. University distributes an .ovpn file to each user, which is no longer accepted. Is it possible to force openvpn to accept the cert, even if it's weak? Our administrators are not very speedy. Searching did not turn up enough information about the error for me to fix it myself.

This is not a NetworkManager problem; I am using command line openvpn and nm is not installed.

Comment by Jan de Groot (JGC) - Tuesday, 25 April 2017, 22:49 GMT

OpenSSL 1.1 bails out on CA certificates with MD5 ciphers.

Searching for the error message, there seems to be a workaround by setting @SECLEVEL=0 in the allowed cipher list, but I don't know where to put that with OpenVPN.

Comment by regid (regid1) - Tuesday, 25 April 2017, 23:00 GMT

Not sure how related the following comment is:

% printf "a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1" | openssl enc -a -A -aes128 -d

gives:

a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1 bad decrypt
3073402624:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535:

when running against openssl-1.1.0.e-1.

Obvoiusly, "a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1" is just for verbosity. It is not the actual encrypted string.

Comment by muted (muted) - Wednesday, 26 April 2017, 07:20 GMT

I`ve got the same:

OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Cannot load certificate file /path_to_my/certificate.crt

Comment by Peter Reschenhofer (petres) - Wednesday, 26 April 2017, 07:33 GMT

I reported it also there (openvpn): https://bugs.archlinux.org/task/53839

Comment by Jan de Groot (JGC) - Wednesday, 26 April 2017, 07:46 GMT

As said in 2nd comment, this is caused by MD5 CA certificates.

I don't consider this a packaging, OpenVPN or OpenSSL bug. MD5 SSL certificates were proven insecure in 2008, Microsoft killed MD5 CA certificates in 2014, now OpenSSL on Archlinux does it in 2017. Google is pushing for SHA1 deprecation since 2014.

I don't think a workaround using @SECLEVEL=0 will work because OpenVPN uses IANA cipher formats, not OpenSSL formats. Only workaround left is to recompile OpenVPN against openssl-1.0 package.

Comment by Peter Reschenhofer (petres) - Wednesday, 26 April 2017, 07:52 GMT

Got it, thanks. Tried to move it to openvpn, cause I thought it would be a more appropriate place,
where it could be found more easily by others.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#53831 - [networkmanager-openvpn] OpenSSL / ca md too weak

Details

Loading...