Re: [Openvpn-users] Compatibility from openvpn 2.4 to 2.7

[Gert D. <ge...@gr...>]

Hi,

On Thu, Oct 16, 2025 at 11:53:51AM +0200, Simon Matter via Openvpn-users wrote:
> I'm trying to upgrade an old openvpn 2.4 based vpn to 2.7.
> The old systems do have openssl 1.x while the new systems on AlmaLinux 10
> will have openssl 3.2.2.

OpenSSL 3.x is much strikter regarding "outdated crypto", so certficates
based on MD5 or SHA1 hash are refused by default.

Try adding "tls-cert-profile legacy" or "tls-cert-profile insecure" to
your config and see if that makes it work (this enables SHA1 and MD5
support).

The error message you see is not the "typical" one, normally it says
something like "MD too weak" in this case.  But it might still help.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             ge...@gr...