'[stunnel-users] Re: Stunnel version 5.63 and openssl 3.0.2 CA signature digest algorithm too weak'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       stunnel-users
Subject:    [stunnel-users] Re: Stunnel version 5.63 and openssl 3.0.2 CA signature digest algorithm too weak
From:       c t browne <cbcs () comcast ! net>
Date:       2022-03-30 19:31:46
Message-ID: 1ead1bc8-22e0-1e04-d7f6-bbaa61048a99 () comcast ! net
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks,

That worked.

Carter

On 3/30/2022 2:12 PM, Clemens Lang wrote:
> Hi,
>
> c t browne <cbcs@comcast.net> wrote:
>
>> I upgraded to version 5.63 on openssl 3.02 and received a CA signature
>> digest algorithm too week error. I tried setting the securityLevel to 2
>> and also to 1 and the error did not go away. I have no way to change the
>> certificate on the remove system.
>
> OpenSSL 3 forbids SHA-1 signatures in security level 1 and above. Try
> security level 0.
>
> Note that SHA-1 is insecure, and collisions on SHA-1 signatures can 
> probably
> computed at less than 50k USD a piece [1], so you should contact 
> whoever is
> in charge of the remote system to move away from SHA-1.
>
>   [1]: https://eprint.iacr.org/2020/014.pdf
>
>
> HTH,
> Clemens Lang
>

[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font face="Century Gothic">Thanks,<br>
      <br>
      That worked.<br>
      <br>
      Carter<br>
    </font><br>
    <div class="moz-cite-prefix">On 3/30/2022 2:12 PM, Clemens Lang
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:6AD54B42-B83F-419B-875E-ECAB3DC0DB2C@redhat.com">Hi,
      <br>
      <br>
      c t browne <a class="moz-txt-link-rfc2396E" \
href="mailto:cbcs@comcast.net">&lt;cbcs@comcast.net&gt;</a> wrote:  <br>
      <br>
      <blockquote type="cite">I upgraded to version 5.63 on openssl 3.02
        and received a CA signature
        <br>
        digest algorithm too week error. I tried setting the
        securityLevel to 2
        <br>
        and also to 1 and the error did not go away. I have no way to
        change the
        <br>
        certificate on the remove system.
        <br>
      </blockquote>
      <br>
      OpenSSL 3 forbids SHA-1 signatures in security level 1 and above.
      Try
      <br>
      security level 0.
      <br>
      <br>
      Note that SHA-1 is insecure, and collisions on SHA-1 signatures
      can probably
      <br>
      computed at less than 50k USD a piece [1], so you should contact
      whoever is
      <br>
      in charge of the remote system to move away from SHA-1.
      <br>
      <br>
        [1]: <a class="moz-txt-link-freetext" \
href="https://eprint.iacr.org/2020/014.pdf">https://eprint.iacr.org/2020/014.pdf</a>  \
<br>  <br>
      <br>
      HTH,
      <br>
      Clemens Lang
      <br>
      <br>
    </blockquote>
    <br>
  </body>
</html>


["cbcs.vcf" (text/vcard)]

null

_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic