Transitioning Away from MD5 Signed Certificates

Since its discovery of vulnerabilities in 2005, the usage of MD5 as a certificate signing algorithm has been strongly discouraged due to its susceptibility to attacks, posing significant security risks such as data interception and unauthorized access.

Recognizing the urgency to address this issue, we’re taking steps to phase out MD5 support in OpenVPN. However, we understand that transitioning to stronger cryptographic mechanisms may present challenges for some users.

Here’s a condensed version of the transition plan:

1. Awareness: It’s crucial to recognize if your certificates are using MD5 signatures. You can check this using OpenSSL:

    openssl x509 -in ca.crt -noout -text | grep "Signature Algorithm"
   

   If MD5 is detected, it’s recommended to switch to SHA256 or better.

2. Transitional Period: We’ve decided to implement a transitional period until May 2018, during which MD5-signed certificates will still function. However, users are strongly encouraged to migrate to stronger alternatives.

3. Workarounds: If transitioning immediately isn’t feasible, there are temporary workarounds. One option is to adjust the security level in the OpenVPN configuration file (*.ovpn) on the client side:

    tls-cipher "DEFAULT:@SECLEVEL=0"
   

   Note: Setting SECLEVEL=0 allows any algorithm, including MD5. While this is not recommended for long-term security, it can serve as a temporary measure if needed.

4. Support and Resources: For users facing challenges during the transition, we’re committed to providing support and guidance. Resources such as updated software versions, third-party solutions, and manufacturer support can aid in migrating to secure certificate alternatives.

By transitioning away from MD5-signed certificates, users can mitigate security risks and ensure the integrity of their data. We’re here to support this process and ensure a smooth transition to stronger cryptographic mechanisms.