OpenVPN app update 1.2.8 02/20/2018 issue

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
jaguiar305
OpenVpn Newbie
Posts: 3
Joined: Tue Feb 20, 2018 4:50 pm

OpenVPN app update 1.2.8 02/20/2018 issue

Post by jaguiar305 » Tue Feb 20, 2018 4:54 pm

Since the app has updated today I keep getting the message stating that they are dropping md5 support repeatedly whenever I put my iPhone in standby mode and turn it back on making my phone unusable until I clear all the notifications. Is there anyway to only get one notification and not 20 when I try to use my phone after coming out of standby mode.

Thanks

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by ordex » Wed Feb 21, 2018 3:30 am

you are right: that message appears every time the client is asked to verify the server certificate (which happen upon every connection to the server).
Every time you connect, you risk that somebody is injecting a malicious certificate and act as mitm, because MD5 is not enough to protect you any longer (since .. 5 years I believe?).

Maybe something could be done to reduce the frequency with which it appears, but you should really not use a VPN with MD5 signed certificates.

jaguiar305
OpenVpn Newbie
Posts: 3
Joined: Tue Feb 20, 2018 4:50 pm

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by jaguiar305 » Wed Feb 21, 2018 4:18 am

I am waiting on netgear to update their certificates. This is the only reason I am using it. This new update is really making my phone unusable to the point that I have to manually reboot it for it to work again.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by ordex » Wed Feb 21, 2018 6:57 am

jaguiar305 wrote:
Wed Feb 21, 2018 4:18 am
I am waiting on netgear to update their certificates. This is the only reason I am using it.
Yeah..this has been reported to them some months ago already, but I doubt it will happen any soon :-( Too bad that big manufacturers can't react quickly to security issues.
jaguiar305 wrote:
Wed Feb 21, 2018 4:18 am
This new update is really making my phone unusable to the point that I have to manually reboot it for it to work again.
oh ok, that's pretty bad. Do you think several pop-up messages are overlapping to the point that they make the iOS UI unresponsive?

soulianis
OpenVpn Newbie
Posts: 8
Joined: Wed Jul 17, 2013 3:44 pm

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by soulianis » Wed Feb 21, 2018 10:32 am

Sometimes the warning message pops up multiple times in a row whenever the device comes back from sleep.

We are already migrating to sha256 signed certs but this takes time because a lot of devices are involved. For that transition period we use two CAs and CRLs, the old one and the new one, in parallel. However, the server certificate is still the old one, otherwise we would immediately lock out those devices which are not updated yet.

My personal device is already updated, so the situation on my device is:

Client certificate - updated, sha256 signed, refers to new CA (sha256 signed)
Both new CA (sha256 signed) and old CA (md5 signed) on device, old CA is needed to verify the server cert (old, md5 signed)

When all devices are updated I plan to switch the server certificate to the new one (sha256 signed) and remove the old CA from the server.
The devices will then have both the new CA and the old CA, which I was sure would not be a problem.

@ordex: If, as you describe above, the warning message is issued during client-side verification of the server cert, then my plan will work. I would be grateful if you could confirm this.

To help me survive the transition without becoming buried in user complaints, limiting the rate of the message popup would be highly appreciated. Or even better, some "I know what I'm doing" option in the server-side configuration to suppress the client-side warning message.

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by ordex » Wed Feb 21, 2018 11:10 am

soulianis wrote:
Wed Feb 21, 2018 10:32 am
@ordex: If, as you describe above, the warning message is issued during client-side verification of the server cert, then my plan will work. I would be grateful if you could confirm this.
yes, that should be the case: the message is triggered when the server certificate is validated and MD5 is found as signing algorithm.
soulianis wrote:
Wed Feb 21, 2018 10:32 am
To help me survive the transition without becoming buried in user complaints, limiting the rate of the message popup would be highly appreciated. Or even better, some "I know what I'm doing" option in the server-side configuration to suppress the client-side warning message.
I will post this request internally

soulianis
OpenVpn Newbie
Posts: 8
Joined: Wed Jul 17, 2013 3:44 pm

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by soulianis » Wed Feb 21, 2018 12:19 pm

ordex wrote:
Wed Feb 21, 2018 11:10 am
I will post this request internally
Thank you very much.

jaguiar305
OpenVpn Newbie
Posts: 3
Joined: Tue Feb 20, 2018 4:50 pm

Solved

Post by jaguiar305 » Wed Feb 28, 2018 5:51 pm

I have noticed that OpenVPN has fixed my issue with their most recent update from two days ago.

Thanks

soulianis
OpenVpn Newbie
Posts: 8
Joined: Wed Jul 17, 2013 3:44 pm

Re: OpenVPN app update 1.2.8 02/20/2018 issue

Post by soulianis » Thu Mar 01, 2018 1:52 pm

Thank you very much for the quick fix.

Post Reply