This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN and SSL notice "please inform your admin to upgrade to a stronger algorithm"

Every time the vpn starts the openvpn client sends the warning
"TLS: received certificate signed with MD5. Please inform your admmin to upgrade
to a stronger algorithm, support for MD5 will be dropped at end of apr 2018"

How do I fix this ????




This thread was automatically locked due to age.
  • Hi Grupo,

    you have to generate a new certificate under certificate management.

    Look under Remote Access -> SSL -> Advanced what certificate you use

    Here you can see what values are used.

    After you generate the new certificate change it under Remote Access -> SSL -> Advanced

    But keep in mind that you have to change the config files from every user.

    When you do this you can also change under advanced the authentication algorithm before roll out the new config files.

    Best Regards
    DKKDG

  • Depending on the power of the processors involved, 2048 with SHA2 might be faster without compression, DKKDG.  What processors are in your UTM and remote device and are transfers faster with or without compression?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi, thanks for the response, I've already done the
    test with the following:

    Cryptographic Setting
    Encryption algorithm: AES-256-CBC
    Authentication algorithm: SHA2 512
    Key size: 4096
    Server certificate: two certificates tried (2048 bit and 4096 bit)
    Key lifetime: 28800

    try with several combinations and in each case delete and download
    the configuration files again in the openvpn client

    The problem started when the version of the openvpn client was
    updated, the message started to appear.

    I do not understand why the message mentions the MD5 if in
    the configuration that was originally had SHA1.


    other idea ? ....