FS#53831 - [networkmanager-openvpn] OpenSSL / ca md too weak
Attached to Project:
Arch Linux
Opened by Peter Reschenhofer (petres) - Tuesday, 25 April 2017, 20:31 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 26 April 2017, 16:03 GMT
Opened by Peter Reschenhofer (petres) - Tuesday, 25 April 2017, 20:31 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 26 April 2017, 16:03 GMT
|
Details
Description:
After upgrading my system today - now openssl 1.1.0.e is used - I get the error: OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak when I try to connect to an VPN network. Differ the requirements for the certificates from the old ones? Additional info: * package version(s) * config and/or log files etc. Steps to reproduce: |
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 26 April 2017, 16:03 GMT
Reason for closing: Not a bug
Additional comments about closing: See JGC's comments
Wednesday, 26 April 2017, 16:03 GMT
Reason for closing: Not a bug
Additional comments about closing: See JGC's comments
This is not a NetworkManager problem; I am using command line openvpn and nm is not installed.
Searching for the error message, there seems to be a workaround by setting @SECLEVEL=0 in the allowed cipher list, but I don't know where to put that with OpenVPN.
% printf "a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1" | openssl enc -a -A -aes128 -d
gives:
a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1 bad decrypt
3073402624:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535:
when running against openssl-1.1.0.e-1.
Obvoiusly, "a string piped to openssl enc -a -A -aes128 from openssl-1.0.2.k-1" is just for verbosity. It is not the actual encrypted string.
OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Cannot load certificate file /path_to_my/certificate.crt
I don't consider this a packaging, OpenVPN or OpenSSL bug. MD5 SSL certificates were proven insecure in 2008, Microsoft killed MD5 CA certificates in 2014, now OpenSSL on Archlinux does it in 2017. Google is pushing for SHA1 deprecation since 2014.
I don't think a workaround using @SECLEVEL=0 will work because OpenVPN uses IANA cipher formats, not OpenSSL formats. Only workaround left is to recompile OpenVPN against openssl-1.0 package.
where it could be found more easily by others.