I upgraded to version 5.63 on openssl 3.02 and received a CA signature digest algorithm too week error. I tried setting the securityLevel to 2 and also to 1 and the error did not go away. I have no way to change the certificate on the remove system.
Is there an way around this problem?
Thanks, Carter
Hi,
c t browne cbcs@comcast.net wrote:
I upgraded to version 5.63 on openssl 3.02 and received a CA signature digest algorithm too week error. I tried setting the securityLevel to 2 and also to 1 and the error did not go away. I have no way to change the certificate on the remove system.
OpenSSL 3 forbids SHA-1 signatures in security level 1 and above. Try security level 0.
Note that SHA-1 is insecure, and collisions on SHA-1 signatures can probably computed at less than 50k USD a piece [1], so you should contact whoever is in charge of the remote system to move away from SHA-1.
[1]: https://eprint.iacr.org/2020/014.pdf
HTH, Clemens Lang
Thanks,
That worked.
Carter
On 3/30/2022 2:12 PM, Clemens Lang wrote:
Hi,
c t browne cbcs@comcast.net wrote:
I upgraded to version 5.63 on openssl 3.02 and received a CA signature digest algorithm too week error. I tried setting the securityLevel to 2 and also to 1 and the error did not go away. I have no way to change the certificate on the remove system.
OpenSSL 3 forbids SHA-1 signatures in security level 1 and above. Try security level 0.
Note that SHA-1 is insecure, and collisions on SHA-1 signatures can probably computed at less than 50k USD a piece [1], so you should contact whoever is in charge of the remote system to move away from SHA-1.
[1]: https://eprint.iacr.org/2020/014.pdf
HTH, Clemens Lang
-
c t browne -
Clemens Lang