OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm:
-
I increased the debug level, but don't see whats exactly the problem with the TLS connection.
I guessthis clients need TLS 1.0, I add this into the server config "tls-version-min 1.0;" but without success.Is TLS 1.0 not possibly anymore?
-
What version of pfSense software are you running?
If it's a recent version with OpenSSL 3.0.x then the error would suggest that something in your certificates is using an old/weak hash algorithm such as SHA1 which is no longer supported.
See this post for more info: https://forum.netgate.com/post/1120652
There were similar warnings about compatibility in the release notes of recent versions as well.
-
@jimp said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::
What version of pfSense software are you running?
Sorry, up-to-date 2.7.2.
@jimp said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::
If it's a recent version with OpenSSL 3.0.x then the error would suggest that something in your certificates is using an old/weak hash algorithm such as SHA1 which is no longer supported.
Yes I saw that, the certs all RSA-SHA512 with RSA and key size 4096.
Only idea I have is the requirement of TLS1.0, I know the vpn clients need this before.
I know there are pretty old, but there was long time no replacement because of broken supply chains...
-
@slu said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::
Yes I saw that, the certs all RSA-SHA512 with RSA and key size 4096.
Does that include the CA, the server cert, and all client certs as well?
-
@jimp said in OpenSSL: error:0A000076:SSL routines::no suitable signature algorithm::
Does that include the CA, the server cert, and all client certs as well?
Yes and this certs were all generated years(!) ago with pfSense 2.1.2.
This is why I think the root cause is an other issue, maybe the TLS version. -
Found this, looks like this is exactly my issue:
https://github.com/openssl/openssl/issues/17476#issuecomment-1010812582 -
Interesting, there is an option to use SHA1 certs(?) with openssl 3.x:
https://github.com/OpenVPN/openvpn/blob/master/Changes.rst--tls-cert-profile insecureI set this option (for testing only) and now it look like:
ink remote: xx.xx.xx.xx TLS: Initial packet from xx.xx.xx.xx Connection reset, restarting [-1] -
S slu referenced this topic on
