How to change the cipher suite that OpenVPN connect uses on iOS

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

How to change the cipher suite that OpenVPN connect uses on iOS

Post by jamesp-brightpattern » Fri Dec 17, 2021 1:50 am

Hi,

I'm using OpenVPN to connect to a remote router via OpenVPN Connect for iOS. I want OpenVPN Connect on my iPhone to use SHA1 instead of SHA384 for the SSL handshake because my OpenVPN server is configured to use SHA1 for this. What do I set in the client .ovpn configuration file to make this possible?

The client logs are showing that my iPhone is trying to use SHA384 for the SSL handshake.

Code: Select all


2021-12-16 17:21:11 1

2021-12-16 17:21:11 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-12-16 17:21:11 OpenVPN core 3.git::58b92569 ios arm64 64-bit

2021-12-16 17:21:11 Frame=512/2048/512 mssfix-ctrl=1250

2021-12-16 17:21:11 UNUSED OPTIONS
0 [persist-tun]
1 [persist-key]
2 [data-ciphers] [AES-256-GCM:AES-128-GCM:AES-128-CBC]
3 [data-ciphers-fallback] [AES-128-CBC]
5 [tls-client]
8 [verify-x509-name] [router.pl.bugfocus.com] [name]
11 [explicit-exit-notify]
12 [pull-filter] [ignore] [NTP 10.1.0.1]
13 [pull-filter] [ignore] [dhcp-option NTP 10.1.0.1]
14 [pull-filter] [ignore] [DNS 10.1.0.1]
15 [pull-filter] [ignore] [dhcp-option DNS 10.1.0.1]
16 [DNS] [8.8.8.8]
17 [NTP] [0.pfsense.pool.ntp.org]
18 [NTP] [1.pfsense.pool.ntp.org]
20 [tls-cipher] [TLS_DH_RSA_WITH_AES_256_CBC_SHA]

2021-12-16 17:21:11 EVENT: RESOLVE

2021-12-16 17:21:11 Contacting [<ROUTER_IPV6>]:1194/UDP via UDP

2021-12-16 17:21:11 EVENT: WAIT

2021-12-16 17:21:11 Connecting to [<ROUTER_IPV4>]:1194 (<ROUTER_IPV6>) via UDPv6

2021-12-16 17:21:12 EVENT: CONNECTING

2021-12-16 17:21:12 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client

2021-12-16 17:21:12 Creds: Username/Password

2021-12-16 17:21:12 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_BS64DL=1


2021-12-16 17:21:12 VERIFY OK: depth=1, /C=US/ST=California/L=San Bruno/O=Acme, Inc/emailAddress=test@acme.com/CN=internal-ca

2021-12-16 17:21:12 VERIFY OK: depth=0, /C=US/ST=California/L=San Bruno/O=Acme\, Inc/emailAddress=test@acme.com/CN=router.acme.com

2021-12-16 17:21:12 SSL Handshake: CN=router.pl.bugfocus.com, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
.....
Here is the client configuration file for my iPhone:

Code: Select all

persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-128-CBC
auth SHA1
tls-client
client
remote <ROUTER_PUBLIC_IPv4> 1194 udp4
verify-x509-name "router.acme.com" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify
pull-filter ignore "NTP 10.1.0.1"
pull-filter ignore "dhcp-option NTP 10.1.0.1"
pull-filter ignore "DNS 10.1.0.1"
pull-filter ignore "dhcp-option DNS 10.1.0.1"
DNS 8.8.8.8
NTP 0.pfsense.pool.ntp.org
NTP 1.pfsense.pool.ntp.org
reneg-sec 100
tls-cipher "TLS_DH_RSA_WITH_AES_256_CBC_SHA"

<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>
What do I set in the client .ovpn configuration file to get the client to use SHA1 for the SSL handshake instead of SHA384?

Thank you,
James Pedersen

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to change the cipher suite that OpenVPN connect uses on iOS

Post by TinCanTech » Fri Dec 17, 2021 2:28 am

Would you not prefer to have up to date security, instead of crap ?

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to change the cipher suite that OpenVPN connect uses on iOS

Post by jamesp-brightpattern » Fri Dec 17, 2021 2:39 am

Ultimately I would like to be using SHA384 on the server and on the clients, but this migration will take time and it's not what our server is set up to use right now.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to change the cipher suite that OpenVPN connect uses on iOS

Post by TinCanTech » Fri Dec 17, 2021 4:33 pm

I believe you need something like:

Code: Select all

tls-cipher "DEFAULT:@SECLEVEL=0"
On both client and server.

I don't use it, so that may not be exactly what you need, try a search ..

jamesp-brightpattern
OpenVpn Newbie
Posts: 16
Joined: Fri Dec 17, 2021 1:34 am

Re: How to change the cipher suite that OpenVPN connect uses on iOS

Post by jamesp-brightpattern » Fri Jan 14, 2022 5:08 pm

Thank you. At the moment, I no longer have a need to change this cipher suite on iOS, but this is good information that will be useful if I need to do this in the future.

Post Reply