Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#53831 - [networkmanager-openvpn] OpenSSL / ca md too weak

Attached to Project: Arch Linux
Opened by Peter Reschenhofer (petres) - Tuesday, 25 April 2017, 20:31 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 26 April 2017, 16:03 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 7
Private No

Details

Description:
After upgrading my system today - now openssl 1.1.0.e is used - I get the
error:

OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

when I try to connect to an VPN network. Differ the requirements for the
certificates from the old ones?



Additional info:
* package version(s)
* config and/or log files etc.


Steps to reproduce:
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 26 April 2017, 16:03 GMT
Reason for closing:  Not a bug
Additional comments about closing:  See JGC's comments
Comment by Mark Gallagher (MarkG) - Tuesday, 25 April 2017, 22:25 GMT
I experienced the same issue. University distributes an .ovpn file to each user, which is no longer accepted. Is it possible to force openvpn to accept the cert, even if it's weak? Our administrators are not very speedy. Searching did not turn up enough information about the error for me to fix it myself.

This is not a NetworkManager problem; I am using command line openvpn and nm is not installed.
Comment by Jan de Groot (JGC) - Tuesday, 25 April 2017, 22:49 GMT
OpenSSL 1.1 bails out on CA certificates with MD5 ciphers.

Searching for the error message, there seems to be a workaround by setting @SECLEVEL=0 in the allowed cipher list, but I don't know where to put that with OpenVPN.

Comment by regid (regid1) - Tuesday, 25 April 2017, 23:00 GMT
Not sure how related the following comment is:

% printf "a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1" | openssl enc -a -A -aes128 -d

gives:

a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1 bad decrypt
3073402624:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535:

when running against openssl-1.1.0.e-1.

Obvoiusly, "a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1" is just for verbosity. It is not the actual encrypted string.
Comment by muted (muted) - Wednesday, 26 April 2017, 07:20 GMT
I`ve got the same:

OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Cannot load certificate file /path_to_my/certificate.crt
Comment by Peter Reschenhofer (petres) - Wednesday, 26 April 2017, 07:33 GMT
I reported it also there (openvpn): https://bugs.archlinux.org/task/53839
Comment by Jan de Groot (JGC) - Wednesday, 26 April 2017, 07:46 GMT
As said in 2nd comment, this is caused by MD5 CA certificates.

I don't consider this a packaging, OpenVPN or OpenSSL bug. MD5 SSL certificates were proven insecure in 2008, Microsoft killed MD5 CA certificates in 2014, now OpenSSL on Archlinux does it in 2017. Google is pushing for SHA1 deprecation since 2014.

I don't think a workaround using @SECLEVEL=0 will work because OpenVPN uses IANA cipher formats, not OpenSSL formats. Only workaround left is to recompile OpenVPN against openssl-1.0 package.
Comment by Peter Reschenhofer (petres) - Wednesday, 26 April 2017, 07:52 GMT
Got it, thanks. Tried to move it to openvpn, cause I thought it would be a more appropriate place,
where it could be found more easily by others.

Loading...