[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Re: Stunnel version 5.63 and openssl 3.0.2 CA signature digest algorithm too weak
From: c t browne <cbcs () comcast ! net>
Date: 2022-03-30 19:31:46
Message-ID: 1ead1bc8-22e0-1e04-d7f6-bbaa61048a99 () comcast ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks,
That worked.
Carter
On 3/30/2022 2:12 PM, Clemens Lang wrote:
> Hi,
>
> c t browne <cbcs@comcast.net> wrote:
>
>> I upgraded to version 5.63 on openssl 3.02 and received a CA signature
>> digest algorithm too week error. I tried setting the securityLevel to 2
>> and also to 1 and the error did not go away. I have no way to change the
>> certificate on the remove system.
>
> OpenSSL 3 forbids SHA-1 signatures in security level 1 and above. Try
> security level 0.
>
> Note that SHA-1 is insecure, and collisions on SHA-1 signatures can
> probably
> computed at less than 50k USD a piece [1], so you should contact
> whoever is
> in charge of the remote system to move away from SHA-1.
>
> [1]: https://eprint.iacr.org/2020/014.pdf
>
>
> HTH,
> Clemens Lang
>
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<font face="Century Gothic">Thanks,<br>
<br>
That worked.<br>
<br>
Carter<br>
</font><br>
<div class="moz-cite-prefix">On 3/30/2022 2:12 PM, Clemens Lang
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6AD54B42-B83F-419B-875E-ECAB3DC0DB2C@redhat.com">Hi,
<br>
<br>
c t browne <a class="moz-txt-link-rfc2396E" \
href="mailto:cbcs@comcast.net"><cbcs@comcast.net></a> wrote: <br>
<br>
<blockquote type="cite">I upgraded to version 5.63 on openssl 3.02
and received a CA signature
<br>
digest algorithm too week error. I tried setting the
securityLevel to 2
<br>
and also to 1 and the error did not go away. I have no way to
change the
<br>
certificate on the remove system.
<br>
</blockquote>
<br>
OpenSSL 3 forbids SHA-1 signatures in security level 1 and above.
Try
<br>
security level 0.
<br>
<br>
Note that SHA-1 is insecure, and collisions on SHA-1 signatures
can probably
<br>
computed at less than 50k USD a piece [1], so you should contact
whoever is
<br>
in charge of the remote system to move away from SHA-1.
<br>
<br>
[1]: <a class="moz-txt-link-freetext" \
href="https://eprint.iacr.org/2020/014.pdf">https://eprint.iacr.org/2020/014.pdf</a> \
<br> <br>
<br>
HTH,
<br>
Clemens Lang
<br>
<br>
</blockquote>
<br>
</body>
</html>
["cbcs.vcf" (text/vcard)]
null
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic