MD5 Signature Algorithm Support

We recommend not using MD5 as an algorithm for a signing certificate due to its possible insecurity. For example, time-standard home computer equipment takes about eight hours to falsify a certificate signed using MD5 as an algorithm. Using MD5 means it’s possible to fake the identity of the server. This opens up a risk for a man-in-the-middle attack. Such an attack leads to the interception of data communication.

You should only support the use of MD5 for older equipment.

We pushed out a security and functionality upgrade of OpenVPN Connect for Android in November 2017 and discovered many people’s devices still used MD5-signed certificates.

For installations still using MD5-signed certificates, we recommend converting to a setup with SHA256-signed certificates. If the devices don’t support this option, we recommend updating them to add the function or replacing them completely.

We have a list of deprecated options and ciphers here: Deprecated Options in OpenVPN.

Refer to these links for more information about MD5 signatures:

To determine if you are using an MD5-type certificate, use this command with openssl as your testing tool:

openssl x509 -in ca.crt -noout -text | grep "Signature Algorithm"

Example result if the certificate is using MD5:

Signature Algorithm: md5WithRSAEncryption

If you see this result on the CA certificate or client certificate, we recommend converting to a proper, securely signed certificate set that uses at least SHA256 or better.

OpenVPN Access Server doesn’t use MD5-certificate signatures.

For open-source OpenVPN users or users with a third-party device that includes OpenVPN functionality using MD5-type certificates, you should investigate the option to update the software on your device or change the signature algorithm type, if possible.

The default settings of a program like EasyRSA 3, used by open-source OpenVPN for generating client certificates and keys, are pretty secure and will generate certificates that are not signed with MD5.