Azure-docs: Using weak certificates on a Linux webapp is prohibited by OpenSSL security level
I'm trying to perform an API call with a certificate signed with SHA1 with RSA encryption. On a Windows app service plan, the call works. On a Linux app service plan, it fails with the error:
The SSL connection could not be established, see inner exception.
Authentication failed, see inner exception:
Using SSL certificate failed with OpenSSL error - ca md too weak.
That's because the Linux web app uses OpenSSL 1.1.1d, and it's configured to use security level 2 by default, which no longer accept certificates signed with SHA1 (see the offical documentation). They even have a warning on that page highlighting the risks of using a default security level higher than 1:
WARNING at this time setting the security level higher than 1 for general internet use is likely to cause considerable interoperability issues and is not recommended. This is because the SHA1 algorithm is very widely used in certificates and will be rejected at levels higher than 1 because it only offers 80 bits of security.
The default security level can be configured when OpenSSL is compiled by setting -DOPENSSL_TLS_SECURITY_LEVEL=level. If not set then 1 is used.
What can I do to change the security level to 1? I can't edit /etc/ssl/openssl.cnf because the changes I make aren't persisted. Alternatively, is there any way I can configure my Linux box to allow weak certificates?
I'm not the issuer of the certificate, so I can't easily regenerate it.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: fbf6dd80-7e07-3e24-7aa8-d3f278f34588
- Version Independent ID: e06a85f1-9a8c-7b94-a86d-33bdf2daf9d5
- Content: Use a TLS/SSL certificate in code - Azure App Service
- Content Source: articles/app-service/configure-ssl-certificate-in-code.md
- Service: app-service
- GitHub Login: @cephalin
- Microsoft Alias: cephalin
metoule
All 6 comments
@metoule
Thanks for the feedback! We are currently investigating and will get back on this.
VikasPullagura-MSFT
on 30 Apr 2020
I ended up creating custom Docker images to deploy my webapp.
Dockerfile for a webapp:
````
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
allow weak certificates (certificate signed with SHA1)
by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
````
Dockerfile for an Azure function:
````
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
allow weak certificates (certificate signed with SHA1)
by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
````
metoule
on 14 May 2020
Hello @metoule, thanks for sharing the solution that worked for you. This will be helpful to others.
We will close this out, but if you feel you need more information please just let us know.
Thanks again for the follow-up and for raising this good feedback!
Grace-MacJones-MSFT
on 14 May 2020
I have the same issue but I don't want to use docker. I have to use a certificate issued by a supplier and the certificate works on windows but not on linux web app.
The error message is: Could not establish trust relationship for the SSL/TLS secure channel with authority 'xxx.fff.ssss.fff.com'. The SSL connection could not be established, see inner exception. Authentication failed, see inner exception. Using SSL certificate failed with OpenSSL error - ca md too weak.
Is there any workaround?
flatproject
on 22 Aug 2020
If you only need this for a webapp, and not for an Azure function, you can use a startup script to update the OpenSSL configuration.
I've written a step-by-step answer on stackoverflow: https://stackoverflow.com/questions/61518238/azure-linux-web-app-change-openssl-default-security-level
metoule
on 22 Aug 2020
Thank you @metoule ! It worked!
flatproject
on 23 Aug 2020
Related issues
Ponant
·
3Comments
ianpowell2017
·
3Comments
jharbieh
·
3Comments
bityob
·
3Comments
behnam89
·
3Comments