• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm:

Scheduled Pinned Locked Moved OpenVPN
7 Posts 2 Posters 3.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    slu
    last edited by slu Jan 3, 2024, 2:49 PM Jan 3, 2024, 9:59 AM

    I increased the debug level, but don't see whats exactly the problem with the TLS connection.

    I guess this clients need TLS 1.0, I add this into the server config "tls-version-min 1.0;" but without success.

    Is TLS 1.0 not possibly anymore?

    pfSense Gold subscription

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 3, 2024, 2:39 PM

      What version of pfSense software are you running?

      If it's a recent version with OpenSSL 3.0.x then the error would suggest that something in your certificates is using an old/weak hash algorithm such as SHA1 which is no longer supported.

      See this post for more info: https://forum.netgate.com/post/1120652

      There were similar warnings about compatibility in the release notes of recent versions as well.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      S 1 Reply Last reply Jan 3, 2024, 2:46 PM Reply Quote 0
      • S
        slu @jimp
        last edited by Jan 3, 2024, 2:46 PM

        @jimp said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::

        What version of pfSense software are you running?

        Sorry, up-to-date 2.7.2.

        @jimp said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::

        If it's a recent version with OpenSSL 3.0.x then the error would suggest that something in your certificates is using an old/weak hash algorithm such as SHA1 which is no longer supported.

        Yes I saw that, the certs all RSA-SHA512 with RSA and key size 4096.

        Only idea I have is the requirement of TLS1.0, I know the vpn clients need this before.

        I know there are pretty old, but there was long time no replacement because of broken supply chains...

        pfSense Gold subscription

        J 1 Reply Last reply Jan 3, 2024, 2:48 PM Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate @slu
          last edited by Jan 3, 2024, 2:48 PM

          @slu said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::

          Yes I saw that, the certs all RSA-SHA512 with RSA and key size 4096.

          Does that include the CA, the server cert, and all client certs as well?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          S 1 Reply Last reply Jan 3, 2024, 2:53 PM Reply Quote 0
          • S
            slu @jimp
            last edited by slu Jan 3, 2024, 2:53 PM Jan 3, 2024, 2:53 PM

            @jimp said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::

            Does that include the CA, the server cert, and all client certs as well?

            Yes and this certs were all generated years(!) ago with pfSense 2.1.2.
            This is why I think the root cause is an other issue, maybe the TLS version.

            pfSense Gold subscription

            S 1 Reply Last reply Jan 3, 2024, 3:00 PM Reply Quote 0
            • S
              slu @slu
              last edited by slu Jan 3, 2024, 3:00 PM Jan 3, 2024, 3:00 PM

              Found this, looks like this is exactly my issue:
              https://github.com/openssl/openssl/issues/17476#issuecomment-1010812582

              pfSense Gold subscription

              S 1 Reply Last reply Jan 3, 2024, 3:22 PM Reply Quote 0
              • S
                slu @slu
                last edited by Jan 3, 2024, 3:22 PM

                Interesting, there is an option to use SHA1 certs(?) with openssl 3.x:
                https://github.com/OpenVPN/openvpn/blob/master/Changes.rst

                --tls-cert-profile insecure

                I set this option (for testing only) and now it look like:

                ink remote: xx.xx.xx.xx
TLS: Initial packet from xx.xx.xx.xx
Connection reset, restarting [-1]

                pfSense Gold subscription

                1 Reply Last reply Reply Quote 0
                • S slu referenced this topic on Jan 4, 2024, 4:49 PM
                3 out of 7
                • First post
                  3/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received