相关文章推荐
飘逸的作业本  ·  Caddy reverse proxy ...·  1 月前    · 
玩足球的风衣  ·  小组参加SPIE ...·  5 月前    · 
鼻子大的汤圆  ·  Label Studio ...·  5 月前    · 

Extreme Control - "Failed reading certificate file" "SSL_CTX_use_certificate:ca md too weak"; SHA1 Certificate Support Deprecation

  • Article Type:
  • Solution
  • Article Number:
  • 000113343
  • Last Modified:
  • 12/28/2023
  • Symptoms

    Environment

    • After upgrading to Extreme Control 23.07 or above various 802.1x clients are failing to authenticate.
    • 802.1x clients using certificates (PEAP, EAP-TLS, EAP-TTLS) are impacted.
    • SHA1 certificate(s) or Control's original SHA1 self-signed untrusted default certificate are used.
    • The radiusd service on Extreme Control does not start.
    • Clients are being rejected and the following radius.log event is logged:
    2023-08-15 23:19:49,882: Error: tls: (TLS) Failed reading certificate file "/opt/nac/radius/raddb/certs/selfsigned_server.pem": error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

    Cause

    • Extreme Control (NAC)
      • Software Release 23.07.10 and above.
    • 802.1x
    • SHA1

    Resolution

    Extreme Control has removed support for SHA1-signed certificates by default starting with software release 23.07.10 and above.

    The above failure is due to Extreme Control having one or more SHA1 signed certificates in the RADIUS or AAA Trusted Certificates configuration that are no longer supported.

    An update to OpenSSL 1.1.1f has removed support for any SHA1 signed certificates which are now considered obsolete and insecure. As a result any server or client certificate using a SHA1 certificate will be rejected by OpenSSL..

    OpenSSL has implemented a SECLEVEL security feature which default to SECLEVEL=2. For more information SECLEVEL please see Ubuntu OpenSSL / OpenSSL for additional details.

    Additional notes

    The above changes will lower the system-wide OpenSSL implementation to SECLEVEL = 1 and TLS 1.1 to re-introduce SHA1-certificate support.

    The workaround is not guaranteed to survive system upgrades and may need to be re-applied.

    The workaround may be flagged by vulnerability scanning software as a result and is provided AS IS.


    See HOW TO Generate a Certificate Signing Request (CSR) and Private Key for Extreme Control and How to update a certificate on a Access Control appliance (NAC) with Extreme Management Center (XMC) Or Site Engine .

    Feedback

    Was this article helpful in resolving your issue? No

    Email this Article

    Extreme Control - "Failed reading certificate file" "SSL_CTX_use_certificate:ca md too weak"; SHA1 Certificate Support Deprecation

    extreme-networks.my.site.com/ExtrArticleDetail?an=000113343

    There is a problem with the email address information provided; "" is not a valid email address.

    Extreme strongly recommends updating and replacing certificates used on Extreme Control for SHA256 or higher. Deprecation and discontinued use of SHA1 is an industry-wide progression which Extreme is now implementing.

    The following workaround can be applied to re-enable SHA1 support in Extreme Control. Extreme does not recommend wide-spread use of or reliance of this workaround. It is provided and available as a temporary solution assuming a migration from SHA1 to SHA256 (or above) is underway.

    Please note that the workaround must be applied on each individual Access Control Engine . After the workaround is applied, restart or re-enforce each Access Control Engine to effect the change.
    1. Log into Control via SSH.
    cd /etc/ssl cp openssl.cnf openssl.cnf.original
    1. Add the following entries to the openssl.cnf file.
    • Add the bold-highlighted line under the HOME / RANDFILE statements as shown:
    # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf = default_conf
    • Add the following text to the bottom of the file as shown:
    [ default_conf ] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.1 CipherString = DEFAULT:@SECLEVEL=1