Official client software for OpenVPN Access Server and OpenVPN Cloud.
-
OpenVPN user
- OpenVpn Newbie
- Posts: 6
- Joined: Sat Nov 20, 2010 12:43 pm
Post
by OpenVPN user » Mon Dec 18, 2017 10:50 pm
Hi,
I'm using OpenVPN Connect on Android 5 and 6 devices. I'm aware OpenVPN will drop MD5 support in April 2018 and has introduced a warning message in the latest Android release.
When I connect to an VPN server using OpenVPN Connect in my devices I get the newly introduced warning message. However taking a look at the OpenVPN Connect log I cannot see any MD5 hashed certificate. It looks like this:
SSL Handshake : TLSv1.2/TLS-DHE-RSA-WITH-AES -256-CBC-SHA
After that the warning message appears in the log file. Do I miss something?
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Tue Dec 19, 2017 12:09 pm
This is the negotiated TLS ciphersuite, while the warning is about the algorithm used to sign the server TLS certificate.
You need to grab the certificate file and run:
Code: Select all
$ openssl x509 -in $CERTIFICATE_FILE -noout -text | grep "Signature Algorithm"
The output will tell you how the certificate has been signed.
-
Magister
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Dec 19, 2017 4:11 pm
Post
by Magister » Tue Dec 19, 2017 4:22 pm
So I created an account just for this, since a previous version of OpenVPN for Android refused to connect, I re-generated all my certificates for server and clients using 4096 and SHA, now on Android I have this warning
Code: Select all
EVENT:WARN info = "TLS:received certificate signed with MD5"
But, all is done with SHA, in my openssl.cnf I have:
and in all my cert I can see:
Code: Select all
Signature Algorithm: sha256WithRSAEncryption
so why this MD5 warning?
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Tue Dec 19, 2017 4:41 pm
This is interesting - Thanks for reporting. It should absolutely not happen.
Since this is a fresh PKI you just created, would you mind sharing it with me so that I can reproduce the problem here? (I am assuming you have not deployed this PKI yet and you can generate a new one for your purposes).
If it's fine with you, you could send it to antonio at openvpn.net
Thanks
-
OpenVPN user
- OpenVpn Newbie
- Posts: 6
- Joined: Sat Nov 20, 2010 12:43 pm
Post
by OpenVPN user » Wed Dec 20, 2017 6:29 am
Thanks for acknowledging this problem/bug/issue. I see this on Android 5 and 6 devices. I connect to commercial VPNs that do not use MD5 signed certificates in any way (never have, never will) and I still get this warning message. The interesting part is that I do not get the warning every time I connect. It happens intermittently. For me as an app user it seems that the app does not correctly identify MD5 signed certificates and falsely issues warnings.
-
parents_it_dept
- OpenVpn Newbie
- Posts: 5
- Joined: Sun Oct 15, 2017 1:39 am
Post
by parents_it_dept » Thu Dec 21, 2017 8:17 pm
Thank you for mentioning this. I'm glad I'm not the only one.
I also have only SHA256 signed certificates and the TLS negotiation does not use MD5 either. Added info in case it helps diagnose the issue. These are server side log entries.
OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
A scan of all my certificates using the openssl check shows they all are SHA256:
Signature Algorithm: sha256WithRSAEncryption (repeated for every certificate I have)
The logs show the TLS negotation isn't using MD5 either.
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
However, I get the MD5 warning on my newly updated client
-
Magister
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Dec 19, 2017 4:11 pm
Post
by Magister » Thu Dec 21, 2017 8:39 pm
I sent a certificate to antonio so he can check
-
OpenVPN user
- OpenVpn Newbie
- Posts: 6
- Joined: Sat Nov 20, 2010 12:43 pm
Post
by OpenVPN user » Fri Dec 22, 2017 6:07 am
Android app just got updated. So far I have not seen any warnings again using the updated app.
-
iank
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Dec 22, 2017 7:52 am
Post
by iank » Fri Dec 22, 2017 7:54 am
Fixed for me on android 7 after downloading new app update today.
Last edited by
iank on Fri Dec 22, 2017 7:57 am, edited 1 time in total.
-
iank
- OpenVpn Newbie
- Posts: 2
- Joined: Fri Dec 22, 2017 7:52 am
Post
by iank » Fri Dec 22, 2017 7:56 am
iank wrote: ↑Fri Dec 22, 2017 7:54 am
Fixed for me on android 7 after downloading new app update today.
Sorry! I thought I was editing my post. Please ignore this reply. I'm new here. Perhaps an admin can delete it.
-
Magister
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Dec 19, 2017 4:11 pm
Post
by Magister » Fri Dec 22, 2017 12:36 pm
Got the update and no more false warning, so... FIXED
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Fri Dec 22, 2017 2:51 pm
Glad the upgrade fixed the problem! Thanks you all for your feedback.
-
T84a
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 10, 2017 2:56 am
Post
by T84a » Sat Dec 23, 2017 12:36 am
I just started getting this. How did you get the update.
I'm on build 1.1.27
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Sat Dec 23, 2017 9:45 am
1.1.27 is the latest build. Have you checked your certificates? Are you sure the server is not sending you a certificated signed with MD5?
-
T84a
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 10, 2017 2:56 am
Post
by T84a » Sat Dec 23, 2017 1:21 pm
Thanks for the response. How would I check that? By server, I assume you mean my router (Untangle)? Plus, it just started doing this in the last day or so.
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Sat Dec 23, 2017 3:40 pm
By server I mean the host running the OpenVPN server - aka the host you connect to with your OpenVPN Client. It can be the router or it can be a remote machine.
You have to grab the server certificate and run the command explained by dazo in this post:
viewtopic.php?f=33&t=25179&start=20#p74121
-
T84a
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 10, 2017 2:56 am
Post
by T84a » Sat Dec 23, 2017 3:45 pm
Thanks. Why did it just start doing this yesterday? There was a new update recently.
Also, I just read his post and unfortunately it doesn't make sense to me. Is there somewhere else I can get guidance? It worked fine until yesterday.
I looked at my log and I think I'm getting a false positive.
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Sat Dec 23, 2017 6:06 pm
As dazo explaine din his post, you need to run the following command on the server certificate and see what you get:
Code: Select all
$ openssl x509 -in $CERTIFICATE_FILE -noout -text | grep "Signature Algorithm"
This will tell you what algorithm was used to sign the certificate.
This is the only way to confirm if this is a false positive or not.
-
T84a
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 10, 2017 2:56 am
Post
by T84a » Sat Dec 23, 2017 6:26 pm
Signature Algorithm: sha512WithRSAEncryption
-
ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Post
by ordex » Sat Dec 23, 2017 7:39 pm
Interesting...this should not happen.
Do you see the pop-up upon *every* connection?