Closed mcgeand closed 1 year ago
Ran into the same issue with update 4.3.
For details regarding the issue look here: https://superuser.com/questions/1737052/openssl-error0a00018essl-routinesca-md-too-weak Link above pretty much gives direction on how to work around the issue/implement a fix.
This is related to the 4.3 update and the updates to OPENSSL/OPENVPN. If you want to be back up and running until there is a workaround implemented in the 4.3.X updates simply specify the previous release as your image:
image: haugene/transmission-openvpn:4.2
Ran into the same issue with update 4.3.
For details regarding the issue look here: https://superuser.com/questions/1737052/openssl-error0a00018essl-routinesca-md-too-weak Link above pretty much gives direction on how to work around the issue/implement a fix.
This is related to the 4.3 update and the updates to OPENSSL/OPENVPN. If you want to be back up and running until there is a workaround implemented in the 4.3.X updates simply specify the previous release as your image:
image: haugene/transmission-openvpn:4.2
Thank you so much! I'll just roll back for now.
You should leave this issue open. I came here to create this exact issue. Leaving it open will allow the developer to be aware that for certain providers the update 4.3 causes openvpn to not be able to establish a connection. I was simply providing information and a temporary workaround.
True, Didn't mean to close! opened it again!
Moving this as this is more provider related (outdated profiles etc) than container
This is a problem with providers not the image itself. The link already shown does a great job of explaining this issue.
IMO I'd see if new configs are available from the providers affected or if whoever uses them contact their support to complain, that they're using insecure algorithms for signing.
If you're wondering how to check/test.
Copy the "CA" cert out of the config file in question and run the below cmd. Or exclude the grep cmd to see the all of the cert contents.
openssl x509 -text -in ca_cert_name.crt | grep -Ei 'md5|sha1'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
@pkishino is there a new tracking issue for this, or linked PR if it's fixed?
The linked issue above discussed this in depth, for a quick fix see here https://github.com/haugene/docker-transmission-openvpn/issues/2453#issuecomment-1334813242
It’s a provider issue, not anything on our end to fix
It’s a provider issue, not anything on our end to fix
It is a provider issue, but this was a helpful tracking issue for the upcoming fix with the provider and then eventual integration here.
The other issue you linked to is closed as well.
Indeed a provider issue. VPNUNLIMITED provided a few flags that could be used to essentially bypass the issue with weak encryption
tls-cipher=DEFAULT:@SECLEVEL=0
I originally thought perhaps this was something that might get included in the docker image as an optional environmental variable. VPNUNLIMITED is currently working the issue…. See response in this issue over at gluetun.
https://github.com/qdm12/gluetun/issues/1432
That issue is also closed as it also is simply waiting on the fix from VPNUNLIMITED.
Is there a pinned issue for this?
Is there an existing or similar issue/discussion for this?
Is there any comment in the documentation for this?
Is this related to a provider?
Are you using the latest release?
Have you tried using the dev branch latest?
Docker run config used
version: '3.3' services: transmission-openvpn: cap_add:
Current Behavior
When the container restarts the logs show a certificate failure related to OpenSSL. Logs show exiting due to fatal error after trying to load the inline Certificate file.
OpenSSL: error:0A00018E:SSL routines::ca md too weak
Expected Behavior
No configurations were changed, updated to the most recent image and container would not load.
How have you tried to solve the problem?
Log output
HW/SW Environment
Anything else?
No response