App Support.

We're here to help.

Error: Insecure Signature Digest Detected

OpenVPN uses what is known as Public Key Infrastructure (PKI) to authenticate and verify VPN connections. As well as letting the server know who can connect, PKI is what ensures that the VPN server you are connecting to is the real server. Without it an attacker could potentially fool your computer into connecting to an imposter server, such as by using a MITM attack, and monitor your network traffic. PKI is considered highly secure when implemented correctly.

As part of PKI, the OpenVPN server and every client is issued an "identity" (consisting of a certificate file and a private key). These are generated by a Certificate Authority (CA), and so to verify each identity is valid the OpenVPN server and clients also come with a CA file. You can find these files under the "Authentication" tab when editing your connection in Viscosity.

PKI uses cryptography to verify that a certificate is valid and hasn't been forged or faked by an attacker. It does this by generating a secure "signature" for each certificate. Part of generating this signature involves creating a "digest" (also known as a "hash") of the certificate using a digest algorithm. The algorithm used depends on the settings your VPN Provider used when setting up the OpenVPN server and generating the PKI files.

If you are seeing the "Error: Insecure Signature Digest Detected" message in the OpenVPN log, or seeing the window below, it means that the digest algorithm selected and used in one of the certificates listed above is not secure. It means an attacker could pretend to be the OpenVPN server you are connecting to and monitor all of your VPN network traffic. You may also see SSL errors in the connection log, such as "SSL_CTX_use_certificate:ca md too weak" or "CA signature digest algorithm too weak".

While Viscosity provides an option to "Allow insecure signature digests for this connection", this option should be used with care and considered temporary. You should immediately contact your VPN Provider and ask for updated PKI files that use a secure digest algorithm. Or if you manage your own OpenVPN server you should generate them yourself (for example by using the OpenVPN Configuration Generator).

Signature digest algorithms that are considered insecure by OpenSSL include MD5 and SHA1. These can both potentially allow a forged certificate to be accepted. Popular algorithms that are currently considered secure include SHA256, SHA384 and SHA512.