How can I use an old (md5) certificate with OpenVPN 2.5.3?

I used to use LEDE and this problem was not there. I upgraded to OpenWRT 21.02. I have an old client with BF-CBC encryption. I need to make a server for it. I cannot change the certificate on the client. New version of OpenVPN doesn't want to use my old certificate:

OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Cannot load certificate file /etc/openvpn/cbid.openvpn.vpn_wrk.cert
Exiting due to fatal error

Is there any way to fix this?

No, it aint (at least not with MD5).

But what is the point of having a VPN at all if you don’t have any encryption?
MD5 has been out of business a very long time now, we talk MANY years!

And why can’t you do better certificates? Easy-RSA is just ready to download and start making usefull certs.

At the beginning I wrote that I cannot change the certificate.
I found a solution to the problem of "bad" certificates for clients.
For example:

http://ics-openvpn.blinkt.de/FAQ.html
The solution to the problem is to add to the OpenVPN configuration:

tls-cipher "DEFAULT:@SECLEVEL=0"

But I didn't find a solution for the server. And I don't understand how to add such a setting for OpenWRT. I see that a different syntax is used for OpenWRT. For example, if I add to config/openvpn

option tls-cipher 'DEFAULT:@SECLEVEL=0'

Then the whole OpenVPN is destroyed.

OpenVPN works just fine, if you use it right and actually care about security.
But MD5 isn’t an approved encryption on this planet any more and it hasn’t been since at least the year 2018.

OpenWRT 21.02 has OpenVPN 2.5, which is TLS1.3 approved and the basic definition of TLS1.3 is that the garbage (for example MD5) is thrown out.
You are refereing to OpenVPN 2.4 in your link and actually to a completely different random error!?.

Encryption is a moving target so you need to realize that if you want to play with encrypted vpn tunnels.

But to solve the problem you are free to use OpenWRT 19.07 with OpenVPN 2.4 if you want. But the MD5 still doesn’t work for security and you only push the basic problem in front of you. So this solution is actually a glass house that only looks good in your own eyes.

you need to approach the problem differently - temporarily build a new host/old router/vm (virtualbox etc) with lede or some other 2017 era packages (debian 8, ubuntu 16 etc) to allow you to start the openvpn server with the md5 cert it works (port forward might be required)
As soon as you connect the old client change its config with a new modern cert

Blowfish in CBC mode (BF-CBC) deprecation
The --cipher option defaulted to BF-CBC in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the --cipher is not explicitly set it does not allow the weak BF-CBCcipher any more and needs to explicitly added as --cipher BFC-CBC or added to--data-ciphers.
We strongly recommend to switching away from BF-CBC to a more secure cipher as soon as possible instead.

https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html
The real OpenVPN manual say this.

2 Likes

I have seen this information. And added to the config:

option cipher 'BF-CBC'
option cipher 'AES-256-GCM'
option cipher 'AES-128-GCM'

This helped turn off the warning:

--cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.

But it didn’t allow working with MD5 certificate.
I understand all the potential dangers. But the client with the old certificate is located on the yacht. This yacht is not always available on the internet. In this case, often access to the Internet via satellite. Even sending new certificates there is a problem. Therefore I am looking for a solution to work with old certificates.
And I cannot understand - if this command

tls-cipher "DEFAULT:@SECLEVEL=0"

allows the client to work with the old certificate, then there must be a similar solution for the server.

Afaik OpenVPN servers released after 2018 do not accept MD5 certificates as a way to force people still using unsecure setups to upgrade, and after a bit where it was just deprecated it was removed entirely, so nothing you can do will make it work https://openvpn.net/faq/md5-signature-algorithm-support/

We have therefore decided to implement a transitional period in which we will still allow MD5 signed certificates to function, until May 2018, when we will start cutting support for MD5 out of OpenVPN entirely.

So if you want to still use this setup, you need to install an older OpenVPN server, as simple as that

2 Likes

Yachts will eventually reach a port to resupply, so you can just rollback your OpenWrt device to 19.x if everything was working with that version, then schedule a certificate change for the next time this boat reaches a port and you can send an email or something to the crew.

1 Like

Thanks for the unequivocal answer.