openvpn-mbedtls no longer accepts SHA1 certificates
Username: Baptiste Jonglez
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=942
Since the update of mbedtls to version 2.5.1 (in both trunk and lede-17.01), the openvpn client no longer accepts SHA1 certificates.
This gives the following error when the client tries to connect:
openvpn(client)[1897]: TLS: Initial packet from [AF_INET]XXX:1194, sid=c5d9be97 6dc8ee7f openvpn(client)[1897]: VERIFY OK: depth=1, C=FR, ST=XX, L=XX, O=XX, OU=openvpn, CN=openvpn-ca, ??=XX, emailAddress=abuse@XX openvpn(client)[1897]: VERIFY ERROR: depth=0, subject=C=FR, ST=XX, L=XX, O=XX, OU=openvpn, CN=server, ??=XX, emailAddress=abuse@XX: The certificate is signed with an unacceptable hash. openvpn(client)[1897]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed openvpn(client)[1897]: TLS Error: TLS object -> incoming plaintext read error openvpn(client)[1897]: TLS Error: TLS handshake failed
Both the CA cert and the server cert are RSA4096 with SHA1 signature. Strangely, the CA cert is accepted but the server cert is not.
This is similar to
FS#405
, but I think it’s overkill to disallow SHA1 certs: I guess there are lots of servers out there still using SHA1.