Latest MD5 discontinuation warning

Official client software for OpenVPN Access Server and OpenVPN Cloud.
OpenVPN user
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 20, 2010 12:43 pm

Latest MD5 discontinuation warning

Post by OpenVPN user » Mon Dec 18, 2017 10:50 pm

Hi,

I'm using OpenVPN Connect on Android 5 and 6 devices. I'm aware OpenVPN will drop MD5 support in April 2018 and has introduced a warning message in the latest Android release.

When I connect to an VPN server using OpenVPN Connect in my devices I get the newly introduced warning message. However taking a look at the OpenVPN Connect log I cannot see any MD5 hashed certificate. It looks like this:
SSL Handshake : TLSv1.2/TLS-DHE-RSA-WITH-AES -256-CBC-SHA
After that the warning message appears in the log file. Do I miss something?

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Tue Dec 19, 2017 12:09 pm

This is the negotiated TLS ciphersuite, while the warning is about the algorithm used to sign the server TLS certificate.

You need to grab the certificate file and run:

Code: Select all

$ openssl x509 -in $CERTIFICATE_FILE -noout -text | grep "Signature Algorithm"
The output will tell you how the certificate has been signed.

Magister
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 19, 2017 4:11 pm

Re: Latest MD5 discontinuation warning

Post by Magister » Tue Dec 19, 2017 4:22 pm

So I created an account just for this, since a previous version of OpenVPN for Android refused to connect, I re-generated all my certificates for server and clients using 4096 and SHA, now on Android I have this warning

Code: Select all

EVENT:WARN info = "TLS:received certificate signed with MD5"
But, all is done with SHA, in my openssl.cnf I have:

Code: Select all

default_md	= sha256
and in all my cert I can see:

Code: Select all

Signature Algorithm: sha256WithRSAEncryption
so why this MD5 warning?

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Tue Dec 19, 2017 4:41 pm

This is interesting - Thanks for reporting. It should absolutely not happen.

Since this is a fresh PKI you just created, would you mind sharing it with me so that I can reproduce the problem here? (I am assuming you have not deployed this PKI yet and you can generate a new one for your purposes).

If it's fine with you, you could send it to antonio at openvpn.net

Thanks

OpenVPN user
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 20, 2010 12:43 pm

Re: Latest MD5 discontinuation warning

Post by OpenVPN user » Wed Dec 20, 2017 6:29 am

Thanks for acknowledging this problem/bug/issue. I see this on Android 5 and 6 devices. I connect to commercial VPNs that do not use MD5 signed certificates in any way (never have, never will) and I still get this warning message. The interesting part is that I do not get the warning every time I connect. It happens intermittently. For me as an app user it seems that the app does not correctly identify MD5 signed certificates and falsely issues warnings.

parents_it_dept
OpenVpn Newbie
Posts: 5
Joined: Sun Oct 15, 2017 1:39 am

Re: Latest MD5 discontinuation warning

Post by parents_it_dept » Thu Dec 21, 2017 8:17 pm

Thank you for mentioning this. I'm glad I'm not the only one.

I also have only SHA256 signed certificates and the TLS negotiation does not use MD5 either. Added info in case it helps diagnose the issue. These are server side log entries.
OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017


A scan of all my certificates using the openssl check shows they all are SHA256:
Signature Algorithm: sha256WithRSAEncryption (repeated for every certificate I have)

The logs show the TLS negotation isn't using MD5 either.
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

However, I get the MD5 warning on my newly updated client

Magister
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 19, 2017 4:11 pm

Re: Latest MD5 discontinuation warning

Post by Magister » Thu Dec 21, 2017 8:39 pm

I sent a certificate to antonio so he can check :)

OpenVPN user
OpenVpn Newbie
Posts: 6
Joined: Sat Nov 20, 2010 12:43 pm

Re: Latest MD5 discontinuation warning

Post by OpenVPN user » Fri Dec 22, 2017 6:07 am

Android app just got updated. So far I have not seen any warnings again using the updated app.

iank
OpenVpn Newbie
Posts: 2
Joined: Fri Dec 22, 2017 7:52 am

Re: Latest MD5 discontinuation warning

Post by iank » Fri Dec 22, 2017 7:54 am

Fixed for me on android 7 after downloading new app update today.
Last edited by iank on Fri Dec 22, 2017 7:57 am, edited 1 time in total.

iank
OpenVpn Newbie
Posts: 2
Joined: Fri Dec 22, 2017 7:52 am

Re: Latest MD5 discontinuation warning

Post by iank » Fri Dec 22, 2017 7:56 am

iank wrote:
Fri Dec 22, 2017 7:54 am
Fixed for me on android 7 after downloading new app update today.
Sorry! I thought I was editing my post. Please ignore this reply. I'm new here. Perhaps an admin can delete it.

Magister
OpenVpn Newbie
Posts: 3
Joined: Tue Dec 19, 2017 4:11 pm

Re: Latest MD5 discontinuation warning

Post by Magister » Fri Dec 22, 2017 12:36 pm

Got the update and no more false warning, so... FIXED :)

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Fri Dec 22, 2017 2:51 pm

Glad the upgrade fixed the problem! Thanks you all for your feedback.

T84a
OpenVpn Newbie
Posts: 13
Joined: Fri Nov 10, 2017 2:56 am

Re: Latest MD5 discontinuation warning

Post by T84a » Sat Dec 23, 2017 12:36 am

I just started getting this. How did you get the update.

I'm on build 1.1.27

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Sat Dec 23, 2017 9:45 am

1.1.27 is the latest build. Have you checked your certificates? Are you sure the server is not sending you a certificated signed with MD5?

T84a
OpenVpn Newbie
Posts: 13
Joined: Fri Nov 10, 2017 2:56 am

Re: Latest MD5 discontinuation warning

Post by T84a » Sat Dec 23, 2017 1:21 pm

Thanks for the response. How would I check that? By server, I assume you mean my router (Untangle)? Plus, it just started doing this in the last day or so.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Sat Dec 23, 2017 3:40 pm

By server I mean the host running the OpenVPN server - aka the host you connect to with your OpenVPN Client. It can be the router or it can be a remote machine.

You have to grab the server certificate and run the command explained by dazo in this post: viewtopic.php?f=33&t=25179&start=20#p74121

T84a
OpenVpn Newbie
Posts: 13
Joined: Fri Nov 10, 2017 2:56 am

Re: Latest MD5 discontinuation warning

Post by T84a » Sat Dec 23, 2017 3:45 pm

Thanks. Why did it just start doing this yesterday? There was a new update recently.

Also, I just read his post and unfortunately it doesn't make sense to me. Is there somewhere else I can get guidance? It worked fine until yesterday.

I looked at my log and I think I'm getting a false positive.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Sat Dec 23, 2017 6:06 pm

As dazo explaine din his post, you need to run the following command on the server certificate and see what you get:

Code: Select all

$ openssl x509 -in $CERTIFICATE_FILE -noout -text | grep "Signature Algorithm"
This will tell you what algorithm was used to sign the certificate.

This is the only way to confirm if this is a false positive or not.

T84a
OpenVpn Newbie
Posts: 13
Joined: Fri Nov 10, 2017 2:56 am

Re: Latest MD5 discontinuation warning

Post by T84a » Sat Dec 23, 2017 6:26 pm

Signature Algorithm: sha512WithRSAEncryption

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: Latest MD5 discontinuation warning

Post by ordex » Sat Dec 23, 2017 7:39 pm

Interesting...this should not happen.
Do you see the pop-up upon *every* connection?

Post Reply