OpenBSD OpenVPN CA SSL certificate too weak error

Hi all!

So I just moved to OpenBSD as my host OS but I’m unable to create the tunnel from the OpenVPN file from HTB. I’ve been trying to understand a bit what’s the problem here and so far it seems that OpenBSD finds the CA too weak. I’ve been trying to bypass those checks to no avail (neither I think it should be the proper thing to do).

I’m running OpenBSD 7.5 (-current) with OpenVPN 2.6.12, I also installed OpenSSL just to see if it was something related with LibreSSL but doesn’t seem the case.

This is the output when running opevpn with the HTB config:

2024-09-10 00:28:10 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-09-10 00:28:10 OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
2024-09-10 00:28:10 library versions: LibreSSL 4.0.0, LZO 2.10
2024-09-10 00:28:10 OpenSSL: error:14FFF18E:SSL routines:(UNKNOWN)SSL_internal:ca md too weak:
2024-09-10 00:28:10 Cannot load inline certificate file
2024-09-10 00:28:10 Exiting due to fatal error

Maybe I’m hallucinating and there is something wrong from my part, or I should be asking for help somewhere else but in any case thank you so much for any feedback!

Hey not sure if youve solved this or not, but I ran into the same problem; you were correct about libressl being the issue.

  1. get openssl3.3: (doas pkg_add openssl)
  2. get openvpn src: Community Downloads - Open Source VPN | OpenVPN
  3. ./configure options (pkg_info -L openssl)
./configure OPENSSL_CFLAGS="-I/usr/local/include/eopenssl33" \
            OPENSSL_LIBS="-L/usr/local/lib/eopenssl33 -lssl -lcrypto"
  1. doas make, doas make install
  2. as root
export LD_LIBRARY_PATH=/usr/local/lib/eopenssl33:$LD_LIBRARY_PATH
  1. Can verity with: doas openvpn --version
OpenVPN 2.6.12 x86_64-unknown-openbsd7.6 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>

Hey!

Thank you so much for your answer, at the end I gave with OpenBSD temporary as I was having some perfomance issues that I didn’t want to deal with.

In any case I will bookmark your answer, I appreciate it