[FS#942] openvpn-mbedtls no longer accepts SHA1 certificates
LEDE Bugs
lede-bugs at lists.infradead.org
Sun Jul 30 08:03:14 PDT 2017
A new Flyspray task has been opened. Details are below.
User who did this - Baptiste Jonglez (bjonglez)
Attached to Project - LEDE Project
Summary - openvpn-mbedtls no longer accepts SHA1 certificates
Task Type - Bug Report
Category - Packages
Status - New
Assigned To -
Operating System - All
Severity - High
Priority - Medium
Reported Version - All
Due in Version - Undecided
Due Date - Undecided
Details - Since the update of mbedtls to version 2.5.1 (in both trunk and lede-17.01), the openvpn client no longer accepts SHA1 certificates.
This gives the following error when the client tries to connect:
openvpn(client)[1897]: TLS: Initial packet from [AF_INET]XXX:1194, sid=c5d9be97 6dc8ee7f
openvpn(client)[1897]: VERIFY OK: depth=1, C=FR, ST=XX, L=XX, O=XX, OU=openvpn, CN=openvpn-ca, ??=XX, emailAddress=abuse at XX
openvpn(client)[1897]: VERIFY ERROR: depth=0, subject=C=FR, ST=XX, L=XX, O=XX, OU=openvpn, CN=server, ??=XX, emailAddress=abuse at XX: The certificate is signed with an unacceptable hash.
openvpn(client)[1897]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
openvpn(client)[1897]: TLS Error: TLS object -> incoming plaintext read error
openvpn(client)[1897]: TLS Error: TLS handshake failed
Both the CA cert and the server cert are RSA4096 with SHA1 signature. Strangely, the CA cert is accepted but the server cert is not.
This is similar to FS#405, but I think it's overkill to disallow SHA1 certs: I guess there are lots of servers out there still using SHA1.
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=942
More information about the lede-bugs
mailing list