0.7.25 cannot load inline certificate with SHA1/MD5 signature

[deviatingchaos]

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

1. Android Version - 11, September security patch
2. Android Vendor/Custom ROM - Samsung/ATT
3. Device - S21 Ultra
4. Version of the app (version number/play store version/self-built) - 0.7.25

Description of the issue

Since update cannot connect, error states:

04:30 OpenSSL: error:0A00018E:SSL routines::ca md too weak
04:30 OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes
04:30 Cannot load inline certificate file

I am not using MD5, rather SHA512. Reverting to 0.7.23 it functions fine. Everything on my end is up to date. Connecting using OpenVPN Connect works fine as well. I have seen one other report of this specific error on the OpenVPN sub on Reddit.

Thanks!

[schwabe]

Please do a openssl x509 -noout -text -in cert.pem on the ca and cert to ensure that your certs really do not use SHA1/MD5.

[KeithMnemonic]

Is there any other workaround if you have SHA1, other than the SECLEVEL mentioned in the other discussions?

[schwabe]

Not really. Support for SHA1 certificates at default security level is not coming back. The options are only to lower the security level or to replace the offending certificates

[schwabe]

0.7.29 will allow setting tls-cert-profile insecure as more convenient way to lower the security level.

[KeithMnemonic]

Thank you for adding this in 07.29

[KeithMnemonic]

That is unforutnate as openssl 1.1,1 seems to still be in LTS for a while. https://www.openssl.org/source/

[schwabe]

And your point is? That I should rather use the old OpenSSL rather than the new one?

[deviatingchaos]

Alright, so the issue I was having was somehow during a router firmware update it reverted to SHA1 when it had been updated already. There is a fix in progress for that, so the issue I had was nothing to do with this app. So, Arne was right.