I'm using OpenVPN to connect to a remote router via OpenVPN Connect for iOS. I want OpenVPN Connect on my iPhone to use SHA1 instead of SHA384 for the SSL handshake because my OpenVPN server is configured to use SHA1 for this. What do I set in the client .ovpn configuration file to make this possible?
The client logs are showing that my iPhone is trying to use SHA384 for the SSL handshake.
Code: Select all
2021-12-16 17:21:11 1
2021-12-16 17:21:11 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-12-16 17:21:11 OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-12-16 17:21:11 Frame=512/2048/512 mssfix-ctrl=1250
2021-12-16 17:21:11 UNUSED OPTIONS
0 [persist-tun]
1 [persist-key]
2 [data-ciphers] [AES-256-GCM:AES-128-GCM:AES-128-CBC]
3 [data-ciphers-fallback] [AES-128-CBC]
5 [tls-client]
8 [verify-x509-name] [router.pl.bugfocus.com] [name]
11 [explicit-exit-notify]
12 [pull-filter] [ignore] [NTP 10.1.0.1]
13 [pull-filter] [ignore] [dhcp-option NTP 10.1.0.1]
14 [pull-filter] [ignore] [DNS 10.1.0.1]
15 [pull-filter] [ignore] [dhcp-option DNS 10.1.0.1]
16 [DNS] [8.8.8.8]
17 [NTP] [0.pfsense.pool.ntp.org]
18 [NTP] [1.pfsense.pool.ntp.org]
20 [tls-cipher] [TLS_DH_RSA_WITH_AES_256_CBC_SHA]
2021-12-16 17:21:11 EVENT: RESOLVE
2021-12-16 17:21:11 Contacting [<ROUTER_IPV6>]:1194/UDP via UDP
2021-12-16 17:21:11 EVENT: WAIT
2021-12-16 17:21:11 Connecting to [<ROUTER_IPV4>]:1194 (<ROUTER_IPV6>) via UDPv6
2021-12-16 17:21:12 EVENT: CONNECTING
2021-12-16 17:21:12 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2021-12-16 17:21:12 Creds: Username/Password
2021-12-16 17:21:12 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_BS64DL=1
2021-12-16 17:21:12 VERIFY OK: depth=1, /C=US/ST=California/L=San Bruno/O=Acme, Inc/emailAddress=test@acme.com/CN=internal-ca
2021-12-16 17:21:12 VERIFY OK: depth=0, /C=US/ST=California/L=San Bruno/O=Acme\, Inc/emailAddress=test@acme.com/CN=router.acme.com
2021-12-16 17:21:12 SSL Handshake: CN=router.pl.bugfocus.com, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
.....
Code: Select all
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-128-CBC
auth SHA1
tls-client
client
remote <ROUTER_PUBLIC_IPv4> 1194 udp4
verify-x509-name "router.acme.com" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify
pull-filter ignore "NTP 10.1.0.1"
pull-filter ignore "dhcp-option NTP 10.1.0.1"
pull-filter ignore "DNS 10.1.0.1"
pull-filter ignore "dhcp-option DNS 10.1.0.1"
DNS 8.8.8.8
NTP 0.pfsense.pool.ntp.org
NTP 1.pfsense.pool.ntp.org
reneg-sec 100
tls-cipher "TLS_DH_RSA_WITH_AES_256_CBC_SHA"
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>
Thank you,
James Pedersen