Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 1516 views
  • Users 0 members are here
Options
Suggested

SSL VPN - Cert Error

zeus1976

Hello everyone,

I am using the latest version of Sophos UTM and everything is working very well so far.

Recently I have the problem that I can no longer create an SSL VPN. I work with a SelfSigned Certificate, I have also tried to create a new one with higher encryption, but the problem persists. Do I have to buy a offiicial certificate so that I can use SSL VPN again?

Error Log can be found in the attachment.

Thanks for your help.

Best regards

Parents
  • 0

    SHA-1 is considered unsafe and depreciated.
    Re-generate the CA certificate using a more secure algorithm (at least SHA-256, maybe SHA-512 or even ECDSA.

  • 0 in reply to Alan Brand

    Hi Alan,

    Thank you for your answer.

    I'm a bit confused, maybe because I don't configure the firewall that often anymore.

    But when I go to Certificate Management on the Sophos UTM - I generate a new certificate - but I can't choose the encryption - where can I configure this?

    When I go to Remote Access - SSL VPN and Advanced, I have configured the following:
    AES-256-CBC
    SHA-2 256
    4096bit

    What am I doing wrong? Funnily enough, you are right, SHA1 is always selected, although I have adjusted this for SSL before i generate the new selfsigned certificat.

    Can you give me a hit?

    Best regards

  • 0 in reply to zeus1976

    Are you using p12 files created by the UTM on your client?

    I get this on the clients (which are Fedora laptops) after recent client OS updates:

    nm-openvpn[593966]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
    nm-openvpn[593966]: OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
    nm-openvpn[593966]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

    This is caused by the outdated version of OpenSSL used on the UTM. Current versions don't support RC2-40-CBC anymore.

    For me the solution was unpack the p12 files on my laptop (Fedora 39) using the openssl --legacy option, create the individual ca.cert. user.cert and user.key files, and than recreate the p12 (I prefer p12's because it keeps the users private key protected).

  • 0 in reply to Harro Verton

    Hello everyone,

    I only do the configuration via Sophos UTM, because I am not so Linux affine.

    Basically I have only renewed the CERT of the firewall (KeySize 2024) and have the SSL configuration on AES256-CBC / SHA2 512 / 4096 bit - with the new certificate. Unfortunately, I still get the SHA1 error.

    Is there a guide that explains step by step how I can solve this problem via the console/PC? I am working with a Windows 10 computer.

    Three additional questions:
    1. can the problem be solved at all via the Sophos UTM -GUI?
    2. is there a guide to solve the problem?
    3. does the SSL VPN work with a self sigend certificate or is a sophos utm issue?

    Many thanks for your help.

    Best regards

  • 0 in reply to zeus1976

    What do you mean by "The CERT"?

    There are several certificates used in an SSL VPN connection, the server side certificate (by default called "Local X509 Cert"), the user certificate (called a "X509 user cert"), and there is the VPN Signing CA certificate, which by default is SHA-1 too.

Reply Children
No Data
Unfiltered HTML