-
a_subscriber
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Aug 15, 2022 9:27 am
OpenSSL: error:0A00018E:SSL routines::ca md too weak
Linux Mint 21
Success install openvpn.
Code: Select all
OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
openssl version -a
Code: Select all
OpenSSL 1.1.1q 5 Jul 2022
built on: Mon Aug 15 08:08:28 2022 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific
Now want to connect to remote setup via openvpn.
but get error:
Code: Select all
2022-08-15 09:29:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-15 09:29:10 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-15 09:29:10 WARNING: file 'client.key' is group or others accessible
2022-08-15 09:29:10 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-15 09:29:10 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-15 09:29:10 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2022-08-15 09:29:10 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-08-15 09:29:10 Cannot load certificate file client.crt
2022-08-15 09:29:10 Exiting due to fatal error
P.S. I check folder. Exist files: client.crt and ca.crt
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Post
by TinCanTech » Mon Aug 15, 2022 10:29 am
a_subscriber wrote: ↑
Mon Aug 15, 2022 9:28 am
ca md too weak
Means your CA key is to weak to provide security. You need a new one.
-
a_subscriber
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Aug 15, 2022 9:27 am
Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Post
by a_subscriber » Mon Aug 15, 2022 10:43 am
TinCanTech wrote: ↑
Mon Aug 15, 2022 10:29 am
a_subscriber wrote: ↑
Mon Aug 15, 2022 9:28 am
ca md too weakMeans your CA key is to weak to provide security. You need a new one.
It’s impossible because certificate generate by admin. I can’t access for this procedure
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Post
by TinCanTech » Mon Aug 15, 2022 10:57 am
Then tell your admin that the vpn is insecure.
-
a_subscriber
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Aug 15, 2022 9:27 am
Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Post
by a_subscriber » Mon Aug 15, 2022 1:40 pm
I fix the problem:
I install openvpn ver. 2.4.7 and now no error.
OpenVPN 2.4.7 x86_64-pc-linux-gnu
OpenSSL 1.1.1q 5 Jul 2022
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenSSL: error:0A00018E:SSL routines::ca md too weak
Post
by TinCanTech » Mon Aug 15, 2022 2:17 pm
Your VPN is still insecure.
Trying to generate ssl certificates for mariadb in an openssl3 environment
this post does not seem to give me any solution either
getting errors :
SSL error: Unable to get certificate from '/etc/certs/server-cert.pem'
2022-09-11 19:14:11 0 [Warning] Failed to setup SSL
2022-09-11 19:14:11 0 [Warning] SSL error: Unable to get certificate
2022-09-11 19:14:11 0 [Warning] SSL error: error:0A00018E:SSL routines::ca md too weak
/etc/certs/server-cert.pem
is definitely here; in the same folder as the others that are found and populated so I am guessing my problem is with md too weak
I get no error when I generate my files; here the list of generated files from script below
I searched a lot but found no clear solution. Everyone saying that you either lower the security level in openssl or use a better algorithm but I find no example on the net. I also added -sha256 but without any success
here is my script:
#bin/sh
# SERVER
# create a new CA key
openssl genrsa 4096 > ca-key.pem
# create the certificate
openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -sha256 -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=server"
# create the certificate for the server
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout server-key.pem -out server-req.pem -sha256 -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=serverreq"
# process the new certificate
openssl rsa -in server-key.pem -out server-key.pem
# sign the certificate
openssl x509 -req -in server-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# CLIENT
# create client certificate
openssl req -newkey rsa:2048 -days 365000 -nodes -keyout client-key.pem -out client-req.pem -subj "/C=EU/ST=EU/L=EU/O=EU/OU=vps/CN=client"
# process key
openssl rsa -in client-key.pem -out client-key.pem
# sign certificate
openssl x509 -req -in client-req.pem -days 365000 -CA ca-cert.pem -CAkey ca-key.pem -sha256 -set_serial 01 -out client-cert.pem
and my docker compose
database:
container_name: mariadb
image: "mariadb:${MARIADB_VERSION}"
restart: always
env_file: .env
volumes:
- "${SQL_INIT}:/docker-entrypoint-initdb.d"
- type: bind
source: ${MARIADB_DATA_DIR}
target: /var/lib/mysql
- type: bind
source: ${MARIADB_LOG_DIR}
target: /var/logs/mysql
- type: bind
source: ${MARIADB_CERTS_DIR}
target: /etc/certs/
environment:
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
MYSQL_DATABASE: "${MYSQL_DATABASE}"
MYSQL_USER: "${MYSQL_USER}"
MYSQL_PASSWORD: "${MYSQL_PASSWORD}"
ports:
- "3306:3306"
networks:
- app_network
command: [
"--character-set-server=utf8mb4",
"--collation-server=utf8mb4_unicode_ci",
"--bind-address=database",
"--require_secure_transport=ON",
"--ssl-ca=/etc/certs/ca-cert.pem",
"--ssl-cert=/etc/certs/server-cert.pem",
"--ssl-capath=/etc/certs/",
"--ssl-key=/etc/certs/server-key.pem",
"--default_authentication_plugin=mysql_native_password"
]
OpenVPN > OpenSSL: error:0A00018E:SSL routines::ca md too weak
Fresh Xubuntu 22.04 system. Connecting with wifi(6) atm. On windows i have no problems.
Tried experimental version of eddie and older verssion but got same results. System build : aorus ultra x570, 5600x, nvidia rtx 2060, nvme m.2 hdd
Tried turning on/off network stack drivers from bios, no change. Forgot default option for it.
. 2022.04.19 21:58:41 — Eddie version: 2.20.0 / linux_x64, System: Linux, Name: Ubuntu 22.04 LTS n l, Version: Linux Studio 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux, Mono/.Net: 6.8.0.105 (Debian 6.8.0.105+dfsg-3.2 Wed Jun 30 05:34:49 UTC 2021); Framework: v4.0.30319
. 2022.04.19 21:58:41 — Command line arguments (2): path.resources=»/usr/share/eddie-ui» path.exec=»/usr/bin/eddie-ui»
. 2022.04.19 21:58:41 — Raise system privileges
. 2022.04.19 21:58:45 — Profile path: /home/UserXXX/.config/eddie/default.profile
. 2022.04.19 21:58:45 — Reading options from /home/UserXXX/.config/eddie/default.profile
. 2022.04.19 21:58:46 — Tun Driver — /dev/net/tun
. 2022.04.19 21:58:46 — OpenVPN — Version: 2.5.5 — OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 (/usr/sbin/openvpn)
. 2022.04.19 21:58:46 — SSH — Version: OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022 (/usr/bin/ssh)
. 2022.04.19 21:58:46 — SSL — Version: Initializing (/usr/bin/stunnel4)
. 2022.04.19 21:58:46 — curl — Version: 7.81.0 (/usr/bin/curl)
I 2022.04.19 21:58:46 — Ready
. 2022.04.19 21:58:48 — Collect information about AirVPN completed
I 2022.04.19 21:58:52 — Session starting.
. 2022.04.19 21:58:52 — Waiting for latency tests (9 to go)
. 2022.04.19 21:58:53 — Waiting for latency tests (7 to go)
. 2022.04.19 21:58:54 — Waiting for latency tests (5 to go)
. 2022.04.19 21:58:55 — Waiting for latency tests (3 to go)
I 2022.04.19 21:58:56 — Checking authorization …
! 2022.04.19 21:58:57 — Connecting to Lupus (Sweden, Stockholm)
. 2022.04.19 21:58:57 — OpenVPN > OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
. 2022.04.19 21:58:57 — OpenVPN > library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
. 2022.04.19 21:58:57 — OpenVPN > OpenSSL: error:0A00018E:SSL routines::ca md too weak
. 2022.04.19 21:58:57 — OpenVPN > Cannot load inline certificate file
. 2022.04.19 21:58:57 — OpenVPN > Exiting due to fatal error
! 2022.04.19 21:58:57 — Disconnecting
. 2022.04.19 21:58:57 — Connection terminated.
ps: besides the standard .deb builds for eddie-ui i tried and got this error, some of the rest like appimage or portable i got shared library errors or libraries missing.
Edited … by yorwos
supplying more info/compacting