728x90
반응형
개요
오랜만에 HackTheBox를 즐겨보려 접속했는데 openvpn 연결하는데 에러가 난다. 해결해놓고보니 별 것 아니긴한데 국내에서 HackTheBox 즐기시는 분 있으면 참고하라는 의미에서 글을 남기고자 한다.
참고로 필자는 OS X Ventura 13.2이고 OpenSSL 3.1 버전이 설치된 상황이었다.
증상
나타난 에러를 하나한 해결해내가는 과정을 기술하면 좋겠지만 귀찮아서 패스하고자한다. openvpn 연결 시 만났던 에러는 다음과 같다.
╭─jako@prompt-mini ~/Downloads
╰─$ openvpn lab_jakan.ovpn 1 ↵
2023-06-18 01:56:37 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-06-18 01:56:37 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-06-18 01:56:37 OpenVPN 2.6.4 aarch64-apple-darwin22.4.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2023-06-18 01:56:37 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-06-18 01:56:37 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2023-06-18 01:56:37 Cannot load inline certificate file
2023-06-18 01:56:37 Exiting due to fatal error
╭─jako@prompt-mini ~/Downloads
╰─$ openvpn lab_jakan.ovpn 1 ↵
2023-06-18 01:56:53 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-06-18 01:56:53 OpenVPN 2.6.4 aarch64-apple-darwin22.4.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2023-06-18 01:56:53 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-06-18 01:56:53 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2023-06-18 01:56:53 Cannot load inline certificate file
2023-06-18 01:56:53 Exiting due to fatal error
╭─jako@prompt-mini ~/Downloads
╰─$ openvpn lab_jakan.ovpn 1 ↵
2023-06-18 01:57:13 OpenVPN 2.6.4 aarch64-apple-darwin22.4.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2023-06-18 01:57:13 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-06-18 01:57:13 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2023-06-18 01:57:13 Cannot load inline certificate file
2023-06-18 01:57:13 Exiting due to fatal error
╭─jako@prompt-mini ~/Downloads
╰─$ openvpn lab_jakan.ovpn 1 ↵
2023-06-18 01:57:44 OpenVPN 2.6.4 aarch64-apple-darwin22.4.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2023-06-18 01:57:44 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10
2023-06-18 01:57:44 Cipher BF-CBC not supported
2023-06-18 01:57:44 Exiting due to fatal error
해결
HackTheBox에서 다운로드 받은 .ovpn 파일을 열어보면 다음과 같이 생겼다.
client
dev tun
proto udp
remote edge-eu-free-1.hackthebox.eu 1337
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
cipher AES-128-CBC
auth SHA256
key-direction 1
<ca>
...
이를 다음과 같이 변경하자
client
dev tun
proto udp
remote edge-eu-free-1.hackthebox.eu 1337
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo no # 수정
verb 3
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 # 추가
data-ciphers-fallback AES-256-CBC # 추가
tls-cipher "DEFAULT:@SECLEVEL=0" # 추가
auth SHA256
key-direction 1
<ca>
...
맺음말
위의 증상은 VPN 서버를 US로 설정한뒤 연결하면 맞닥뜨리진 않는다.
참고
https://superuser.com/questions/1737052/openssl-error0a00018essl-routinesca-md-too-weak
https://forum.hackthebox.com/t/lab-access-openvpn-certificate-verify-failed/257102/7
728x90
반응형
'Pentest > HackTheBox' 카테고리의 다른 글
[HackTheBox]: Cap (0) | 2021.07.25 |
---|---|
[HackTheBox] : Templated (0) | 2020.10.25 |
[HackTheBox] : Register (0) | 2020.10.18 |
[HackTheBox] : Traceback (0) | 2020.10.18 |