24

Linux Mint 21

Success install openvpn.

OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022



openssl version -a
OpenSSL 1.1.1q  5 Jul 2022
built on: Mon Aug 15 08:08:28 2022 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific

Now want to connect to remote setup via openvpn.

sudo openvpn Leo.ovpn

but get error:

2022-08-15 09:29:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2022-08-15 09:29:10 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-08-15 09:29:10 WARNING: file 'client.key' is group or others accessible
2022-08-15 09:29:10 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-08-15 09:29:10 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-08-15 09:29:10 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
2022-08-15 09:29:10 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-08-15 09:29:10 Cannot load certificate file client.crt
2022-08-15 09:29:10 Exiting due to fatal error

P.S. I check folder. Exist files: client.crt and ca.crt

sudo openssl x509 -text -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d5:a0:93:fa:24:35:4d:95

...

Improve this question
2
  • 2
    Not really specific to Linux Mint, but to OpenVPN and the OpenSSL version it has been linked with.
    – 0xC0000022L
    Commented Jun 28, 2023 at 11:34
  • Agree. Better to omit the Tag Linux-mint.
    – Valerio Bozz
    Commented Feb 21 at 10:14

5 Answers 5

Reset to default
29

Ubuntu 22.04.1 LTS

just as said above, add this

tls-cipher "DEFAULT:@SECLEVEL=0"

to your vpn client config(not openssl.cnf), mine looks like this(example):

client
tls-client
ca vpnname/ca.crt
cert vpnname/user.crt
key vpnname/user.key
tls-crypt vpnname/myvpn.tlsauth
proto udp
remote 1.1.1.1 1194 udp
dev tun
topology subnet
pull
user nobody
group nogroup
script-security 2
tls-cipher "DEFAULT:@SECLEVEL=0"
#up /etc/openvpn/vpnname/up.sh
#down /etc/openvpn/vpnname/down.sh

UPDATE about NetworkManager

As people said in the comments, for NetworkManager openvpn you need to add tls-cipher=DEFAULT:@SECLEVEL=0

inside your /etc/NetworkManager/system-connections/name-of-your-openvpn.nmconnection

into [vpn] section

and restart sudo systemctl restart NetworkManager

Improve this answer
3
  • Note that in order for this to be picked up, you need to restart NetworkManager: sudo systemctl restart NetworkManager.
    – AVH
    Commented Oct 28, 2022 at 9:47
  • add tls-cipher "DEFAULT:@SECLEVEL=0" to the ovpn file.
    – desertSniper87
    Commented Dec 13, 2022 at 16:22
  • 3
    In case you need to set this for one particular connection managed by NetworkManager: The configuration file is located at /etc/NetworkManager/system-connections/ and the NetworkManager specific syntax is tls-cipher=DEFAULT:@SECLEVEL=0.
    – Hermann
    Commented Apr 11, 2023 at 8:45
15

The answer is in the error messages (error:0A00018E:SSL routines::ca md too weak). OpenSSL refuses to use the CA certificate because certain parameters are considered insecure nowadays. This could be caused by the certificate using MD5 or SHA1 for signing.

You should regenerate your CA and certificates with secure hash algorithms for the signature, as your currently used hash algorithms are not considered secure anymore.

There is a workaround available by adding the following to your openssl.cnf:

tls-cipher "DEFAULT:@SECLEVEL=0"

Another workaround is available since OpenVPN 2.6.0:

OpenSSL 3.0 support

OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user visible but improve general compatibility with OpenSSL 3.0. --tls-cert-profile insecure has been added to allow selecting the lowest OpenSSL security level (not recommended, use only if you must). OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option --providers allows loading the legacy provider to renable these algorithms.

Improve this answer
10
  • 2
    This "tls-cipher "DEFAULT:@SECLEVEL=0"" not help
    – Alexei
    Commented Aug 15, 2022 at 7:49
  • Can you add to the question a sanitized version of openssl x509 -text -in ca.crt?
    – mtak
    Commented Aug 15, 2022 at 7:54
  • That is extremely sanitized, and not very useful :) . Please post the output with just identifying marks removed (subject, issuer, that sort of stuff).
    – mtak
    Commented Aug 15, 2022 at 8:46
  • I fixed the problem. See my answer
    – Alexei
    Commented Aug 15, 2022 at 13:39
  • 1
    Not only is this the fullest answer (including advice to regenerate the certs if possible - although note that the CA is irrelevant and doesn't need to be regenerated even if it's using MD5), but it's also the first answer to have the solution. I'm not sure why the other answer is higher voted.
    – DimeCadmium
    Commented Jun 27, 2023 at 17:38
2

Given:

Linux Mint 21
OpenVPN 2.5.5 , Mar 22 2022
OpenSSL 3.0.2 , 15 Mar 2022

I fix the problem:

I install openvpn ver. 2.4.7 and now no error.

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 15 2022
library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10

OpenSSL 1.1.1q  5 Jul 2022
Improve this answer
2
1

Note that although changing ovpn configuration is a working workaround it might not be the best solution. SHA1 has a low level of security even with long keys (SHA-1 is considered to have less then 80 bits of security for digital signatures). See: Recommendation for Key Management, NIST Special Publication 800-57 Part 1, NIST, May 2020.

Modify CA/certificate

What you should do is change openssl.cnf you use to sign and generate certificates.

[CA_default]
# ...
default_md = sha256
# ...

[ req ]
default_bits = 2048

Generating a certificate with above settings should be indicated in the crt/pem file like so:

Signature Algorithm: sha256WithRSAEncryption
[...]
RSA Public-Key: (2048 bit)

All this might a bit of work depending of how many certificates you have.

Workaround

So as a workaround you can add security level of 0 in *.ovpn (on the client side):

tls-cipher "DEFAULT:@SECLEVEL=0"

Note that SECLEVEL=0 means any algorithm is allowed (security levels info).

This workaround might be fine depending on how are you using the certificates (e.g. for local tests or public facing stuff) and how big of a target you are... and what other layers of security do you have.

Improve this answer
0

The problem is described in the article Ubuntu 22.04 OpenSSL error fixing:

Ubuntu and Xubuntu 22.04 moved to OpenSSL 3.0. This is causing errors (0A00018E:SSL routines::ca md too weak) with Wifi and other internet connections. This is because OpenSSL 3.0 considers MD5 and SHA1 hash Algorithms used on old CA certificates invalid.

Although the article is for Ubuntu, it probably also applies to the latest Linux Mint.

This article proposes the following solutions:

Solution 1: If you are using Wi-Fi or a VPN and you are getting the error, then the immediate solution is to renew your key pairs to be compatible with OpenSSL 3. This is because OpenSSL 3 which is used by default in Ubuntu 22.04 does not accept SHA1 algorithm. Learn more about OpenSSL 3.0.

Solution 2: Install OpenSSL 3 . Here is a guide on how to install OpenSSL 3 on Ubuntu 22.04.

Solution 3: If you are facing a problem with SSH, then make sure that you have selectively enabled it as it is disabled by default in OpenSSH.

NOTE: Third-party packages that use libssl1.1 will also need to be upgraded to libssl3.

Improve this answer
5
  • I success installed OpenSSL 3.0 but it not help
    – Alexei
    Commented Aug 15, 2022 at 9:20
  • You need to recreate the certificate - it's too weak. Do not use these old hash algorithms.
    – harrymc
    Commented Aug 15, 2022 at 9:25
  • It's impossible because certificate generate by admin. I can't access for this procedure
    – Alexei
    Commented Aug 15, 2022 at 10:36
  • If you are obliged to use it, then you need to configure OpenSSL. (Downgrading to an older version of Linux is never a good idea.) See the Providers section of the OpenSSL wiki for an example config. You need to load the legacy provider.
    – harrymc
    Commented Aug 15, 2022 at 11:00
  • I fixed the problem. See my answer
    – Alexei
    Commented Aug 15, 2022 at 13:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .