Version 0.7.27 and certificate (signature digest algorithm too weak) error

[Quikfix73]

1. Android TV version 9
2. MIBOX 4
3. OpenVPN for Android Version 0.7.27

Description of the issue

I have a bunch of different VPN providers setup in OpenVPN and I noticed that in this new version 0.7.27 one of my providers no longer works and is giving a certificate is too weak error (See screenshot). My other VPN providers that are setup on OpenVPN work fine and I already contacted this one VPN provider (IPVanish) regarding this weak certificate (signature digest algorithm too weak) error and reported this to them.

My questions are:

1. Why does this VPN provider and their certificate no longer work on this latest version of OpenVPN for Android but worked fine three days ago in the previous versions such as version 0.7.24?

2. Is there a checkbox or option that will allow a weak certificate to connect? (as a workaround until the VPN provider gives me a newer and stronger certificate)

This would really help me until the VPN provider gives me a stronger certificate for this new version 0.7.27.

[schwabe]

Yes. Rad the FAQ: https://ics-openvpn.blinkt.de/FAQ.html#weakmd_title and complain to IPVanish for using still old SHA1/MD5 certificates.

[surlyhacker]

The suggested fix in the FAQ doesn't work for me.
I added tls-cipher "DEFAULT:@SECLEVEL=0" as a Custom Option on my client profile. No server side changes.
All certs are using SHA1 signatures.
Client reports this error:

connect() error: SSL_CA_MD_TOO_WEAK: OpenSSLContext: SSL_CTX_use_certificate failed: error:0A00018E:SSL routines::ca md too weak

If I keep the CA and Server certs with SHA1 but use a client cert with a SHA256 signature, the connection attempt gets further but ultimately fails with:

VERIFY FAIL: depth=0, ..., signature: RSA-SHA1 [CA signature digest algorithm too weak]

Any ideas?

Note: I fully understand that the correct fix is to use certs with more secure signatures algorithms. Just trying to temporarily get this workaround to actually work.

[Quikfix73]

Go to discussion page below, I put an example on how you should type the tls-cipher parameter

#1387

[surlyhacker]

Thanks. But it doesn't work.
I've tried both tls-cipher DEFAULT:@SECLEVEL=0 and tls-cipher "DEFAULT:@SECLEVEL=0"
And there is no other tls-cipher line in my config.
I'm assuming there is no syntax issue with this line, since if I set it to something intentionally bogus like tls-cipher aDEFAULT:@SECLEVEL=0, it gives me an error as it should:

connect() error: : ssl_context_error: OpenSSLContext:SSL_CTX_set_cipher_list failed

[schwabe]

The OpenVPN3 core does not stop on syntax errror, it only displays a warning. But that workaround indeed does not seem to work with OpenVPN3. Set tls-cert-profile to insecure instead (under authenticating/encryption)