-   Linux - Security (
-   -   Problems with SHA2 on OpenVPN (

Jsn21 09-22-2015 12:10 PM

Problems with SHA2 on OpenVPN
I am using OpenSSH and OpenVPN on Raspbian. I've been trying to set up a VPN server, and after following this tutorial I was able to make a fully functional VPN server and OVPN client file. However upon further investigation, my certs and the tunnel were defaulting to SHA-1. So I googled, found out how to change the defaults in OpenSSL and OpenVPN, and re-generated all of my keys. Upon reboot I was greeted with the log message: "Message Hash Algorithm 'SHA-256' not found (OpenSSL)".

Because the version in the Raspbian git was old, I updated to the one in the "jessie" repository, which got me to OpenSSL v1.0.1k and OpenVPN 2.2.1 - as I assumed the old build didn't have SHA2 built in. But alas, same error. OpenVPN lists sha-256 and variants, but openssl only lists md4, md5, rmd160, sha, sha1 as message digest options.

More googling suggested that it could be how OpenSSL was built, so I downloaded the source and was about to build 1.0.2c from scratch. However I stopped when I looked at the readme and the only message digests it listed were md5, md2, sha, sha1, mdc2.

Am I misunderstanding this? I thought SHA-1 was insecure and we were supposed to be migrating away from it. I'm not trying to set up the most secure VPN in the world, but since this box is facing the world while living on my private network, I wanted to make sure it stood a decent chance of being secure. Is SHA-1 the most secure message digest currently available? Does the digest not matter as much as the cipher? Is the digest different from the 'hash algorithm'?

Any help or insight into something I'm not understanding would be very much appreciated. Thanks.

XA4 03-15-2017 04:01 PM

Hello, this is maybe too late, but I found me on the same error message.

If you use in your terminal openvpn --show-digests, it will list available digests. For SHA-256, codename must be indicated as SHA256, without the '-' between.

Hope it helps.

But now I need help.
I'm searching for rebuilding and regenerate my certs, for not signing them with SHA1, and found nothing but change defaults on OpenSSL, but before of throwing to trash all the certs I got right now, I've been trying to generate new client signed with the new defaults but still generating certificates signed with SHA1.

Should I rebuild all? I hear somewhere that client certificates get signed by CA. Should I rebuild only CA for sign new certificates with new defaults?

XA4 03-15-2017 04:03 PM

This is just a test. I'm new to the forum.

sundialsvcs 03-15-2017 04:41 PM

This might be relevant: 16 Tips on OpenVPN Security.

XA4 03-15-2017 04:44 PM

Yeah, just right there I am.

But doesn't say how to make things to sign certificates with SHA256 instead of SHA1.

XA4 03-16-2017 08:17 AM

I think i've found it, but it's very manual.

We have to edit those files (openssl.cnf files provided with easy-rsa 2.0 and pkitool script)

All times are GMT -5. The time now is 03:37 AM.