This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Cert Error

Hello everyone,

I am using the latest version of Sophos UTM and everything is working very well so far.

Recently I have the problem that I can no longer create an SSL VPN. I work with a SelfSigned Certificate, I have also tried to create a new one with higher encryption, but the problem persists. Do I have to buy a offiicial certificate so that I can use SSL VPN again?

Error Log can be found in the attachment.

Thanks for your help.

Best regards



This thread was automatically locked due to age.
Parents
  • SHA-1 is considered unsafe and depreciated.
    Re-generate the CA certificate using a more secure algorithm (at least SHA-256, maybe SHA-512 or even ECDSA.

  • Hi Alan,

    Thank you for your answer.

    I'm a bit confused, maybe because I don't configure the firewall that often anymore.

    But when I go to Certificate Management on the Sophos UTM - I generate a new certificate - but I can't choose the encryption - where can I configure this?

    When I go to Remote Access - SSL VPN and Advanced, I have configured the following:
    AES-256-CBC
    SHA-2 256
    4096bit

    What am I doing wrong? Funnily enough, you are right, SHA1 is always selected, although I have adjusted this for SSL before i generate the new selfsigned certificat.

    Can you give me a hit?

    Best regards

  • Are you using p12 files created by the UTM on your client?

    I get this on the clients (which are Fedora laptops) after recent client OS updates:

    nm-openvpn[593966]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
    nm-openvpn[593966]: OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
    nm-openvpn[593966]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

    This is caused by the outdated version of OpenSSL used on the UTM. Current versions don't support RC2-40-CBC anymore.

    For me the solution was unpack the p12 files on my laptop (Fedora 39) using the openssl --legacy option, create the individual ca.cert. user.cert and user.key files, and than recreate the p12 (I prefer p12's because it keeps the users private key protected).

Reply
  • Are you using p12 files created by the UTM on your client?

    I get this on the clients (which are Fedora laptops) after recent client OS updates:

    nm-openvpn[593966]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
    nm-openvpn[593966]: OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
    nm-openvpn[593966]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

    This is caused by the outdated version of OpenSSL used on the UTM. Current versions don't support RC2-40-CBC anymore.

    For me the solution was unpack the p12 files on my laptop (Fedora 39) using the openssl --legacy option, create the individual ca.cert. user.cert and user.key files, and than recreate the p12 (I prefer p12's because it keeps the users private key protected).

Children
  • Hello everyone,

    I only do the configuration via Sophos UTM, because I am not so Linux affine.

    Basically I have only renewed the CERT of the firewall (KeySize 2024) and have the SSL configuration on AES256-CBC / SHA2 512 / 4096 bit - with the new certificate. Unfortunately, I still get the SHA1 error.

    Is there a guide that explains step by step how I can solve this problem via the console/PC? I am working with a Windows 10 computer.

    Three additional questions:
    1. can the problem be solved at all via the Sophos UTM -GUI?
    2. is there a guide to solve the problem?
    3. does the SSL VPN work with a self sigend certificate or is a sophos utm issue?

    Many thanks for your help.

    Best regards

  • What do you mean by "The CERT"?

    There are several certificates used in an SSL VPN connection, the server side certificate (by default called "Local X509 Cert"), the user certificate (called a "X509 user cert"), and there is the VPN Signing CA certificate, which by default is SHA-1 too.