Re: [openssl-users] ca md too weak
Thanks for your answer too, I had already seen this wiki page before posting but I didn't find in it any info on how to do that; I'll look into it again and try harder then. F. Delente -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ca md too weak
On Fri, Oct 6, 2017 at 12:22 PM, Fabrice Delentewrote: > OK, I understand, thanks for your answer! I'll look into building > openvpn 2.4.3 from source. I believe you only have to set Fedora's security policy to allow MD5. That is covered in the Fedora wiki page you were provided. There's no need to download and build a new OpenSSL and OpenVPN. However, if you to take that path, then see https://stackoverflow.com/q/38985889/608639. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ca md too weak
OK, I understand, thanks for your answer! I'll look into building openvpn 2.4.3 from source. F. Delente -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ca md too weak
Hi, On 06/10/17 17:26, Fabrice Delente wrote: Hello, Until two days ago I used OpenVPN to connect to my workplace, on a non-security sensitive tunnel (just for convenience). However, OpenSSL updated on my machine (Fedora 26), and now the certificate is rejected: Fri Oct 6 17:25:06 2017 OpenVPN 2.4.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017 Fri Oct 6 17:25:06 2017 library versions: OpenSSL 1.1.0f-fips 25 May 2017, LZO 2.08 Fri Oct 6 17:25:06 2017 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak Fri Oct 6 17:25:06 2017 Cannot load certificate file lcs/delentef.crt Fri Oct 6 17:25:06 2017 Exiting due to fatal error What solutions are there to this problem? Can I configure OpenSSL to accept this certificate after all? it's not openssl that changed, it's the way openvpn is built on Fedora: - openvpn 2.4.3 was built and linked against openssl 1.0 , which supports MD5 signed certs - openvpn 2.4.4 was built and linked against openssl 1.1, which does not Best solution: - upgrade your CA to use something that's actually secure Second best: - downgrade openvpn to 2.4.3 (and get openssl 1.0 support back). HTH, JJK -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ca md too weak
> Until two days ago I used OpenVPN to connect to my workplace, on a > non-security sensitive tunnel (just for convenience). > > However, OpenSSL updated on my machine (Fedora 26), and now the > certificate is rejected: > > ... > routines:SSL_CTX_use_certificate:ca md too weak > Fri Oct 6 17:25:06 2017 Cannot load certificate file lcs/delentef.crt > Fri Oct 6 17:25:06 2017 Exiting due to fatal error > > What solutions are there to this problem? Can I configure OpenSSL to > accept this certificate after all? https://fedoraproject.org/wiki/Changes/CryptoPolicy Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users