8

OpenVPN throws a "signature digest algorithm too weak" error when I try to connect to a specific VPN.

A common suggestion for a workaround is using the following config:

tls-cipher "DEFAULT:@SECLEVEL=0"

This works, but I was unable to find any documentation about what SECLEVEL does. Does it just allow the less-secure cipher the VPN server offers? Or does it allow any cipher (eg also null cipher) or does it otherwise lead to a complete compromise of security?

Improve this question
0

1 Answer 1

Reset to default
7

From man 1 ciphers:

The cipher string @SECLEVEL=n can be used at any point to set the security level to n, which should be a number between zero and five, inclusive. See SSL_CTX_set_security_level for a description of what each level means.

And from man 3 SSL_CTX_set_security_level:

Level 0

Everything is permitted. This retains compatibility with previous versions of OpenSSL.

Improve this answer
2
  • 2
    I don't understand what is meant by 'everything is permitted'. Does that mean any type of certificate is permitted', or also that no (valid) certificate is permitted? In other words, what does it mean for the security of the connection? Commented Aug 21, 2022 at 12:32
  • @Tom I may be wrong, but I'd assume the "everything" here means "every cipher" (i.e., any encryption algorithm) is accepted. If a certificate is invalid, it will not be accepted, but this is something that will happen way after the cipher is decided. Commented Jul 13, 2023 at 0:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.