Openssl error 0a00018e ssl routines ca md too weak

Linux Mint 21

a_subscriber

OpenVpn Newbie
Posts: 3
Joined: Mon Aug 15, 2022 9:27 am

OpenSSL: error:0A00018E:SSL routines::ca md too weak

Linux Mint 21

Success install openvpn.

Code: Select all

OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022

openssl version -a

Code: Select all

OpenSSL 1.1.1q  5 Jul 2022
built on: Mon Aug 15 08:08:28 2022 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific

Now want to connect to remote setup via openvpn.

but get error:

Code: Select all

2022-08-15 09:29:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-15 09:29:10 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-15 09:29:10 WARNING: file 'client.key' is group or others accessible
2022-08-15 09:29:10 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-15 09:29:10 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-15 09:29:10 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-08-15 09:29:10 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-08-15 09:29:10 Cannot load certificate file client.crt
2022-08-15 09:29:10 Exiting due to fatal error

P.S. I check folder. Exist files: client.crt and ca.crt


TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post

by TinCanTech » Mon Aug 15, 2022 10:29 am

a_subscriber wrote: ↑

Mon Aug 15, 2022 9:28 am


ca md too weak

Means your CA key is to weak to provide security. You need a new one.


a_subscriber

OpenVpn Newbie
Posts: 3
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post

by a_subscriber » Mon Aug 15, 2022 10:43 am

TinCanTech wrote: ↑

Mon Aug 15, 2022 10:29 am

a_subscriber wrote: ↑

Mon Aug 15, 2022 9:28 am


ca md too weak

Means your CA key is to weak to provide security. You need a new one.

It’s impossible because certificate generate by admin. I can’t access for this procedure


TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post

by TinCanTech » Mon Aug 15, 2022 10:57 am

Then tell your admin that the vpn is insecure.


a_subscriber

OpenVpn Newbie
Posts: 3
Joined: Mon Aug 15, 2022 9:27 am

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post

by a_subscriber » Mon Aug 15, 2022 1:40 pm

I fix the problem:

I install openvpn ver. 2.4.7 and now no error.

OpenVPN 2.4.7 x86_64-pc-linux-gnu
OpenSSL 1.1.1q 5 Jul 2022


TinCanTech

OpenVPN Protagonist
Posts: 11142
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak

Post

by TinCanTech » Mon Aug 15, 2022 2:17 pm

Your VPN is still insecure.


Trying to generate ssl certificates for mariadb in an openssl3 environment

this post does not seem to give me any solution either

getting errors :

SSL error: Unable to get certificate from '/etc/certs/server-cert.pem'
2022-09-11 19:14:11 0 [Warning] Failed to setup SSL
2022-09-11 19:14:11 0 [Warning] SSL error: Unable to get certificate
2022-09-11 19:14:11 0 [Warning] SSL error: error:0A00018E:SSL routines::ca md too weak

/etc/certs/server-cert.pem is definitely here; in the same folder as the others that are found and populated so I am guessing my problem is with md too weak

I get no error when I generate my files; here the list of generated files from script below

enter image description here

I searched a lot but found no clear solution. Everyone saying that you either lower the security level in openssl or use a better algorithm but I find no example on the net. I also added -sha256 but without any success

here is my script:

#bin/sh

# SERVER
# create a new CA key
openssl genrsa 4096 > ca-key.pem
# create the certificate
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -sha256 -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=server"
# create the certificate for the server
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -sha256 -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=serverreq"
# process the new certificate
openssl rsa -in server-key.pem -out server-key.pem
# sign the certificate
openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# CLIENT
# create client certificate
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=client"
# process key
openssl rsa -in client-key.pem -out client-key.pem
# sign certificate
openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -sha256 -set_serial 01 -out client-cert.pem

and my docker compose

database:
    container_name: mariadb
    image: "mariadb:${MARIADB_VERSION}"
    restart: always
    env_file: .env
    volumes:
      - "${SQL_INIT}:/docker-entrypoint-initdb.d"
      - type: bind
        source: ${MARIADB_DATA_DIR}
        target: /var/lib/mysql
      - type: bind
        source: ${MARIADB_LOG_DIR}
        target: /var/logs/mysql
      - type: bind
        source: ${MARIADB_CERTS_DIR}
        target: /etc/certs/
    environment:
      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
      MYSQL_DATABASE: "${MYSQL_DATABASE}"
      MYSQL_USER: "${MYSQL_USER}"
      MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
    ports:
      - "3306:3306"
    networks:
      - app_network
    command: [  
                "--character-set-server=utf8mb4",
                "--collation-server=utf8mb4_unicode_ci",
                "--bind-address=database",
                "--require_secure_transport=ON",
                "--ssl-ca=/etc/certs/ca-cert.pem",
                "--ssl-cert=/etc/certs/server-cert.pem",
                "--ssl-capath=/etc/certs/",
                "--ssl-key=/etc/certs/server-key.pem",
                "--default_authentication_plugin=mysql_native_password" 
              ]

OpenVPN > OpenSSL: error:0A00018E:SSL routines::ca md too weak

Fresh Xubuntu 22.04 system. Connecting with wifi(6) atm. On windows i have no problems.
Tried experimental version of eddie and older verssion but got same results. System build : aorus ultra x570, 5600x, nvidia rtx 2060, nvme m.2 hdd
Tried turning on/off network stack drivers from bios, no change. Forgot default option for it.

. 2022.04.19 21:58:41 — Eddie version: 2.20.0 / linux_x64, System: Linux, Name: Ubuntu 22.04 LTS n l, Version: Linux Studio 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux, Mono/.Net: 6.8.0.105 (Debian 6.8.0.105+dfsg-3.2 Wed Jun 30 05:34:49 UTC 2021); Framework: v4.0.30319
. 2022.04.19 21:58:41 — Command line arguments (2): path.resources=»/usr/share/eddie-ui» path.exec=»/usr/bin/eddie-ui»
. 2022.04.19 21:58:41 — Raise system privileges
. 2022.04.19 21:58:45 — Profile path: /home/
UserXXX/.config/eddie/default.profile
. 2022.04.19 21:58:45 — Reading options from /home/
UserXXX/.config/eddie/default.profile
. 2022.04.19 21:58:46 — Tun Driver — /dev/net/tun
. 2022.04.19 21:58:46 — OpenVPN — Version: 2.5.5 — OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 (/usr/sbin/openvpn)
. 2022.04.19 21:58:46 — SSH — Version: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022 (/usr/bin/ssh)
. 2022.04.19 21:58:46 — SSL — Version: Initializing (/usr/bin/stunnel4)
. 2022.04.19 21:58:46 — curl — Version: 7.81.0 (/usr/bin/curl)
I 2022.04.19 21:58:46 — Ready
. 2022.04.19 21:58:48 — Collect information about AirVPN completed
I 2022.04.19 21:58:52 — Session starting.
. 2022.04.19 21:58:52 — Waiting for latency tests (9 to go)
. 2022.04.19 21:58:53 — Waiting for latency tests (7 to go)
. 2022.04.19 21:58:54 — Waiting for latency tests (5 to go)
. 2022.04.19 21:58:55 — Waiting for latency tests (3 to go)
I 2022.04.19 21:58:56 — Checking authorization …
! 2022.04.19 21:58:57 — Connecting to Lupus (Sweden, Stockholm)
. 2022.04.19 21:58:57 — OpenVPN > OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
. 2022.04.19 21:58:57 — OpenVPN > library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
. 2022.04.19 21:58:57 — OpenVPN > OpenSSL: error:0A00018E:SSL routines::ca md too weak
. 2022.04.19 21:58:57 — OpenVPN > Cannot load inline certificate file
. 2022.04.19 21:58:57 — OpenVPN > Exiting due to fatal error
! 2022.04.19 21:58:57 — Disconnecting
. 2022.04.19 21:58:57 — Connection terminated.

ps: besides the standard .deb builds for eddie-ui i tried and got this error, some of the rest like appimage or portable i got shared library errors or libraries missing.


Edited by yorwos

supplying more info/compacting

Понравилась статья? Поделить с друзьями:

Читайте также:

  • Openshift error 143
  • Openvpn soft tls error received process restarting
  • Openshift 139 error
  • Openvpn setup ended prematurely because of an error
  • Openshift 137 error

  • 0 0 голоса
    Рейтинг статьи
    Подписаться
    Уведомить о
    guest

    0 комментариев
    Старые
    Новые Популярные
    Межтекстовые Отзывы
    Посмотреть все комментарии