[FS#942] openvpn-mbedtls no longer accepts SHA1 certificates
LEDE Bugs
lede-bugs at lists.infradead.org
Sun Jul 30 11:51:59 PDT 2017
The following task has a new comment added:
FS#942 - openvpn-mbedtls no longer accepts SHA1 certificates
User who did this - Magnus Kroken (mkrkn)
----------
The CA cert is accepted because the public key of the root certificate is trusted directly, instead of trusting its hash. See [[https://www.entrust.com/need-sha-2-signed-root-certificates/|Do You Need SHA-2 Signed Root Certificates?]] for more details.
Google, Microsoft and Mozilla all stopped supporting HTTPS certificates with SHA-1 digests in their web browsers early this year. Causing a SHA-1 collision in order to impersonate a legitimate server is now considered within reach of well funded attackers. This is the same problem, just in the context of VPN instead of HTTPS.
The Easy-RSA script commonly used to manage personal OpenVPN certificate authorities has issued certificates with SHA-256 digests for several years. In addition, OpenVPN does not rely on the traditional network of public root CAs - each OpenVPN service provider, be it big commercial or one personal server, runs their own root CA(s). As such there is nothing preventing a provider from issuing new certificates - no fees, no need to wait for CA compatibility.
The actual problem is servers/clients using certificates that are considered weak, something LEDE can't fix. We can provide interoperability with them, but by doing so we also remove the incentive to fix the issue, and prolong the lowered security.
In this case I think security and correctness should weigh higher than interoperability, as the security implications are real and have been demonstrated by researchers. There isn't a fine-grained way to configure this (e.g. you can't configure a single OpenVPN client to only accept certs with SHA-256 digests if you globally accept certs with SHA-1 digests), so by doing this we lower the security of all LEDE users, even if their specific server/provider uses strong certificates.
----------
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=942#comment3166
More information about the lede-bugs
mailing list