LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page Details related to "CA signature digest algorithm too weak"
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-29-2024, 02:15 AM   #1
vlrk
Member
 
Registered: Dec 2008
Posts: 51

Rep: Reputation: 1
Details related to "CA signature digest algorithm too weak"

Hi all, having query related to error log "CA signature digest algorithm too weak" ..

this is shown after I migrated from openssl 1.1.1u to openssl 3.1.1

the same goes off .. when I set SSL_CTX_set_cipher_list(ctx,"ALL:eNULL:@SECLEVEL=0");

any idea related to this.
 
Old 02-29-2024, 12:42 PM   #2
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 798

Rep: Reputation: 256Reputation: 256Reputation: 256
Look at the CA cert in question. Specifically, the line Signature Algorithm. Awhile back, I updated Openssl and it broke my CA as sha1 was no longer allowed. None of the certs would work with things linked against the new SSL. Check the CA cert with
Code:
openssl x509 -in ca-crt.pem -noout -text

...

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            Netscape Cert Type: 
                SSL CA, S/MIME CA
    Signature Algorithm: sha256WithRSAEncryption
sha256 is fine. For now. If that's not it then I'm not sure.
 
Old 03-05-2024, 08:06 PM   #3
vlrk
Member
 
Registered: Dec 2008
Posts: 51

Original Poster
Rep: Reputation: 1
Thanks @jayjwa,

Team,

Need help in understanding below .

What exact difference between SSL_CTX_set_cipher_list(ctx, "HIGH:SHA1:@SECLEVEL=0") which is being used with openssl-3.1.1 and just keeping the SSL_CTX_set_cipher_list(ctx, "ALL") (this setting being used in openssl-1.1.1u) .

I am moving from openss-1.1.1u to openssl-3.1.1. So not sure , with this AM I decreasing the security level overall to support SHA1 compared to 1.1.1u version .

Please share your thoughts

Regards
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't set signature algorithm when using tpm2_import : Signature algorithm is null with error hash avertyr Linux - Software 2 05-23-2022 02:21 AM
[SOLVED] How to request the http Content-MD5, md5-digest, or Instance Digest? ballsystemlord Linux - Networking 1 02-27-2019 02:08 PM
LXer: My Nerd Life: Too Loud, Too Funny, Too Smart, Too Fat LXer Syndicated Linux News 0 01-24-2014 05:21 AM
WARN: use of weak password hash algorithm (openSUSE 11.0) win32sux Linux - Security 1 07-22-2008 08:48 AM
apache hangs when starting -> Digest: generating secret for digest authentication ... jma Linux - Networking 4 02-22-2007 01:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:38 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration