Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-22-2015, 12:10 PM   #1
LQ Newbie
Registered: Sep 2015
Posts: 1

Rep: Reputation: Disabled
Question Problems with SHA2 on OpenVPN

I am using OpenSSH and OpenVPN on Raspbian. I've been trying to set up a VPN server, and after following this tutorial I was able to make a fully functional VPN server and OVPN client file. However upon further investigation, my certs and the tunnel were defaulting to SHA-1. So I googled, found out how to change the defaults in OpenSSL and OpenVPN, and re-generated all of my keys. Upon reboot I was greeted with the log message: "Message Hash Algorithm 'SHA-256' not found (OpenSSL)".

Because the version in the Raspbian git was old, I updated to the one in the "jessie" repository, which got me to OpenSSL v1.0.1k and OpenVPN 2.2.1 - as I assumed the old build didn't have SHA2 built in. But alas, same error. OpenVPN lists sha-256 and variants, but openssl only lists md4, md5, rmd160, sha, sha1 as message digest options.

More googling suggested that it could be how OpenSSL was built, so I downloaded the source and was about to build 1.0.2c from scratch. However I stopped when I looked at the readme and the only message digests it listed were md5, md2, sha, sha1, mdc2.

Am I misunderstanding this? I thought SHA-1 was insecure and we were supposed to be migrating away from it. I'm not trying to set up the most secure VPN in the world, but since this box is facing the world while living on my private network, I wanted to make sure it stood a decent chance of being secure. Is SHA-1 the most secure message digest currently available? Does the digest not matter as much as the cipher? Is the digest different from the 'hash algorithm'?

Any help or insight into something I'm not understanding would be very much appreciated. Thanks.
Old 03-15-2017, 04:01 PM   #2
LQ Newbie
Registered: Mar 2017
Posts: 4

Rep: Reputation: Disabled
Hello, this is maybe too late, but I found me on the same error message.

If you use in your terminal openvpn --show-digests, it will list available digests. For SHA-256, codename must be indicated as SHA256, without the '-' between.

Hope it helps.

But now I need help.
I'm searching for rebuilding and regenerate my certs, for not signing them with SHA1, and found nothing but change defaults on OpenSSL, but before of throwing to trash all the certs I got right now, I've been trying to generate new client signed with the new defaults but still generating certificates signed with SHA1.

Should I rebuild all? I hear somewhere that client certificates get signed by CA. Should I rebuild only CA for sign new certificates with new defaults?
Old 03-15-2017, 04:03 PM   #3
LQ Newbie
Registered: Mar 2017
Posts: 4

Rep: Reputation: Disabled
This is just a test. I'm new to the forum.
Old 03-15-2017, 04:41 PM   #4
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
This might be relevant: 16 Tips on OpenVPN Security.
Old 03-15-2017, 04:44 PM   #5
LQ Newbie
Registered: Mar 2017
Posts: 4

Rep: Reputation: Disabled
Yeah, just right there I am.

But doesn't say how to make things to sign certificates with SHA256 instead of SHA1.
Old 03-16-2017, 08:17 AM   #6
LQ Newbie
Registered: Mar 2017
Posts: 4

Rep: Reputation: Disabled
I think i've found it, but it's very manual.

We have to edit those files (openssl.cnf files provided with easy-rsa 2.0 and pkitool script)
1 members found this post helpful.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenVpn problems when creating scripter Linux - Networking 2 02-05-2015 07:23 PM
[SOLVED] OpenVPN problems pchristy Slackware 1 11-12-2014 08:46 AM
php sha2() function mscoder Programming 1 12-01-2012 06:33 AM
openVPN problems priyadarshan Linux - Networking 1 02-18-2009 10:08 PM
OpenVPN configuration problems dmi Linux - Software 1 11-13-2008 03:44 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:48 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration