Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Server defaults to SHA1

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 13.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Heli0s
      last edited by

      My OpenVPN Server user certificates for some reason always default to "auth SHA1" instead of SHA512 (which is the hashing algorithm I specified when I created the user certs). Is there some setting that I need to edit that I've missed?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        auth SHA512;

        in the advanced config doesn't do it for you?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • H
          Heli0s
          last edited by

          That worked! Didn't know I can do that lol

          The only question that I have is that when I export the ovpn file, it still shows SHA1. Does that mean that I'll need to manually modify it each time? Or is there some setting I need to fix?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            auth in OpenVPN is for HMAC, it's not related to what your certificates use. It's GUI-controllable in 2.2. If you want to use something else in 2.1x or earlier versions, you'll have to specify it as a custom option in the client export and make sure it matches the server's config there. There is no need to change it because of your certificates though. SHA1 is OpenVPN's default for HMAC.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              It doesn't look like the client export pulls special settings from the server (hard to tell which need to be in the client anyway.)

              If you want client export to default to auth SHA512; I think you'll need to modify the php used for the config page.

              That is /usr/local/www/vpn_openvpn_export.php

              The line in question would look like this:

              Will not survive upgrades/reinstalls/etc.  Should survive reboots.  Caveat emptor, YMMV, "voids warranty", etc.

              Otherwise just put it in advanced options every time.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • H
                Heli0s
                last edited by

                From a security standpoint, is it worth changing it? Also, what is the default hash that pfSense uses when creating user certs (when creating the user). I know I can manually create a cert you can change it to whatever you want, but when you create it from the user creation screen, it doesn't ask you the hash type/size.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  There's no need to change the HMAC alg, it's not like certs where SHA1 is no longer recommended.

                  1 Reply Last reply Reply Quote 0
                  • H
                    Heli0s
                    last edited by

                    What's the default cert algorithm?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Dude, really?

                      ![Screen Shot 2014-11-08 at 10.34.11 AM.png](/public/imported_attachments/1/Screen Shot 2014-11-08 at 10.34.11 AM.png)
                      ![Screen Shot 2014-11-08 at 10.34.11 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-11-08 at 10.34.11 AM.png_thumb)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • H
                        Heli0s
                        last edited by

                        I said I know how to do it when you manually create a cert. My question was about creating a cert when you create a user.

                        Untitled.png_thumb
                        Untitled.png

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Looks like sha256.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.