After upgrading to Symantec Directory 14.1 SP6 version (i.e. 14.1.06), SSL communication to DSA fails with the following messages reported in <dsaname>_warn_<timestamp>.log:

[3] 20250507.115919.345 WARN : Verify error 68: CA signature digest algorithm too weak
[3] 20250507.115919.345 WARN : SSL Error
[3] 20250507.115919.345 WARN : 7ff87c133ec8-   16030307 e60b0007 e20007df 0003d830    ...............0
[3] 20250507.115919.345 WARN : 7ff87c133ed8-   8203d430 8202bca0 03020102 020760e5    ...0..........`.
[3] 20250507.115919.345 WARN : 7ff87c133ee8-   b2f685f9 b0300d06 092a8648 86f70d01    .....0...*.H....
[3] 20250507.115919.345 WARN : 7ff87c133ef8-   01050500 307a310b 30090603 55040613    ....0z1.0...U...
[3] 20250507.115919.345 WARN : 7ff87c133f08-   02555331 0c300a06 0355040a 13034942    .US1.0...U....IB
[3] 20250507.115919.345 WARN : 00974683F87F0000:error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/statem/statem_srvr.c:3523:
[3] 20250507.115919.345 WARN : ssld_ssl_request failed
[3] 20250507.115919.345 WARN : TLS/SSL handshake failed for call from <ip_address>:<port_#>

You are using SHA1 (weak algorithm) signed certificate(s).

This is an expected behavior due to the fact that starting Directory 14.1.06 version, internally it uses OpenSSL 3.0.x. And starting OpenSSL 3.0 and later, support for SHA1 certificates at secrity level 1 or higher which is the default, has been dropped. This means certificates signed with SHA1 are no longer trusted for authentication.

Additionally, OpenSSL 3.0.x also deprecated many other weak algorithms.

Resolution to this would be recreate all SHA1 certificates signed higher/stronger algorithm such as SHA256 or SHA512.

You can perform a Google search on proper keywords to find more information on this.

e.g.

• "Verify error 68: CA signature digest algorithm too weak"
• "OpenSSL 3.0 and sha1 vulnerability"