Stunnel version 5.63 and openssl 3.0.2 CA signature digest algorithm too weak
I upgraded to version 5.63 on openssl 3.02 and received a CA signature digest algorithm too week error. I tried setting the securityLevel to 2 and also to 1 and the error did not go away. I have no way to change the certificate on the remove system. Is there an way around this problem? Thanks, Carter
Hi, c t browne <cbcs@comcast.net> wrote:
I upgraded to version 5.63 on openssl 3.02 and received a CA signature digest algorithm too week error. I tried setting the securityLevel to 2 and also to 1 and the error did not go away. I have no way to change the certificate on the remove system.
OpenSSL 3 forbids SHA-1 signatures in security level 1 and above. Try security level 0. Note that SHA-1 is insecure, and collisions on SHA-1 signatures can probably computed at less than 50k USD a piece [1], so you should contact whoever is in charge of the remote system to move away from SHA-1. [1]: https://eprint.iacr.org/2020/014.pdf HTH, Clemens Lang
Thanks, That worked. Carter On 3/30/2022 2:12 PM, Clemens Lang wrote:
Hi,
c t browne <cbcs@comcast.net> wrote:
I upgraded to version 5.63 on openssl 3.02 and received a CA signature digest algorithm too week error. I tried setting the securityLevel to 2 and also to 1 and the error did not go away. I have no way to change the certificate on the remove system.
OpenSSL 3 forbids SHA-1 signatures in security level 1 and above. Try security level 0.
Note that SHA-1 is insecure, and collisions on SHA-1 signatures can probably computed at less than 50k USD a piece [1], so you should contact whoever is in charge of the remote system to move away from SHA-1.
[1]: https://eprint.iacr.org/2020/014.pdf
HTH, Clemens Lang
participants (2)
-
c t browne -
Clemens Lang