Category: VPN

Open SSL Weak Certificate

I have a client’s VPN that was giving me a hard time. It was an Open VPN connection.

There was a comment in the Forum that I was reading about security. It sounds like it would be better to regenerate the certificates, but since I have no control over the server, I couldn’t do that.

Error Messages

There are the error messages that I was seeing in my log:

  • Cannot load certificate file <path removed>COTVPN.crt
  • OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
  • Options error: Please correct these errors.

I checked my version:

$ openvpn --version
OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Solution

First, I edited the VPN’s configuration file:

 sudo vi /etc/NetworkManager/system-connections/COTVPN

As the last line under the [vpn] section, I added the line:

tls-cipher=DEFAULT:@SECLEVEL=0

Then, I ran this command to reload the configuration:

sudo nmcli connection reload

After that, it worked.

Missing Packages

Note: Earlier, I was getting these messages:

  • VPN plugin at /usr/lib/NetworkManager/nm-iodine-auth-dialog is not executable
  • VPN plugin at /usr/lib/NetworkManager/nm-vpnc-auth-dialog is not executable

I installed these two packages:

  • network-manager-iodine-gnome
  • network-manager-vpnc-gnome

Those two packages fixed those errors.

Resources