OpenVPN Connect 3.4.0 (5457) - Issues

[iPhrankie]

Like many others, we've been bitten by the the 3.4.0 iOS app update.

We use .mobileconfig files to deploy profiles to our users. It deploys misc. settings and the OpenVPN connection settings.

We received error message: "You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm."

We created a new .mobileconfig with an embedded CA signature using the option "default_md = sha256" in ca-sign.cnf. Unfortunately, that didn't help. It created a new error message: "Peer certificate verification failed." We're guessing because the CA certificate on the server is not SHA256 signed. Note, the native iOS Settings identified the VPN profile correctly with a signature of "SHA-256 with RSA Encryption" vs. the original "SHA-1 with RSA Encryption". Thankfully, configuring the iOS OpenVPN Connect app to "Insecure" allowed it to connect.. Then, in the OpenVPN Connect app log, it correctly verified the CA signature and the embedded company name, e-mail, etc., with "VERIFY OK". It displayed the warning of "...SHA1 signature will be dropped in the future." as expected.

Second problem. We received error message: "option_error: Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode." Looks like it's based on this discussion. https://github.com/OpenVPN/openvpn3-linux/issues/160

Thank goodness this link had some helpful hints on how to tweak the .mobileconfig to include "client". Otherwise, we had no idea the iOS config required this setting and this change wasn't an apparent requirement for iOS. https://www.derman.com/blogs/iOS-OpenVPN-OnDemand-Setup

We added "<key>client</key> <string>NOARGS</string>" to the .mobileconfig. This resolved the error.

For now, we'll configure the iOS OpenVPN Connect app to "Insecure" and add the "client" string to .mobileconfig. We won't include the "default_md = sha256" signature in the .mobileconfig since it doesn't resolve anything and still requires the "Insecure" setting. All the other encryption and security settings are place, so the VPN is secure. Apparently, the CA signature verification with SHA1 would pose a rare hash collision vulnerability.

We'll need to regenerate thousands of profiles to get everyone connected again.

Hope the above helps others out there.

[MacVador]

Hi iPhrankie,

what do you mean exactly by "configuring the iOS OpenVPN Connect app to "Insecure"" ?
Thx

[gbdesai]

Seems under advanced settings in the OpenVPN client there is an option to allow insecure connections, it didn't fix the issue for me though. I may be missing some other key setting.

[dsddipcam]

Thanks iPhrankie.
This solve my problem.
Will SHA 512 solve the error if this option is available on VPN server ?

[Verysecure]

Triggered by dsddipcam ask "Will SHA 512 solve the error ...", the same erorr message on my iOS client 3.4.0. Various posts explain that the rootcause is a currently considered insecure hash algorithm was used.
As an 'average noob' OpenVPN user, I would appreciate some guidance on how to address this. Please correct me if I'm wrong.
My understanding is that I need to revert to my OpenVPN server and regerate the 'client.ovpn' file, next transfer this file to my iOS device and I should be good again. Obviously, I need to use a better hash algortihm. This is where I have a specific question.
My OpenVPN server is on a Asus router. There are various (advanced) settings I can finetune. Which one to change?
Here are (some) of the settings which might relate to the issue at hand:
- Encryption Cypher
- HMAC authentication <<= here I can opt for SHA256
- Authentication mode
- RSA encryption
- Extra HMAC Authorisation
Which one should be changed to address this issue?
(I fully except your grin as the above clearly shows my limited knowledge on this... )

[Verysecure]

"Asking the question is often the first step in solving it" ...
I found that changing "HDMAC authentication" from (in my case) SHA1 to SHA256; renewing the certificate; exporting the .ovpn config file and installing that new .ovpn profile on the clients I used solved the problem (A problem actually caused by me ignoring the warning messages...). See viewtopic.php?t=36104 for bit more detail in case your OpenVPN server is running on an Asus Router.

[MacVador]

HI,
that's right, there is an option in Settings/advanced settings. It does the job for me.