OpenVPN Support Forum

Hi,

I'm using OpenVPN Connect on Android 5 and 6 devices. I'm aware OpenVPN will drop MD5 support in April 2018 and has introduced a warning message in the latest Android release.

When I connect to an VPN server using OpenVPN Connect in my devices I get the newly introduced warning message. However taking a look at the OpenVPN Connect log I cannot see any MD5 hashed certificate. It looks like this:

SSL Handshake : TLSv1.2/TLS-DHE-RSA-WITH-AES -256-CBC-SHA

After that the warning message appears in the log file. Do I miss something?

This is the negotiated TLS ciphersuite, while the warning is about the algorithm used to sign the server TLS certificate.

You need to grab the certificate file and run: The output will tell you how the certificate has been signed.

So I created an account just for this, since a previous version of OpenVPN for Android refused to connect, I re-generated all my certificates for server and clients using 4096 and SHA, now on Android I have this warning But, all is done with SHA, in my openssl.cnf I have: and in all my cert I can see: so why this MD5 warning?

This is interesting - Thanks for reporting. It should absolutely not happen.

Since this is a fresh PKI you just created, would you mind sharing it with me so that I can reproduce the problem here? (I am assuming you have not deployed this PKI yet and you can generate a new one for your purposes).

If it's fine with you, you could send it to antonio at openvpn.net

Thanks

Thanks for acknowledging this problem/bug/issue. I see this on Android 5 and 6 devices. I connect to commercial VPNs that do not use MD5 signed certificates in any way (never have, never will) and I still get this warning message. The interesting part is that I do not get the warning every time I connect. It happens intermittently. For me as an app user it seems that the app does not correctly identify MD5 signed certificates and falsely issues warnings.

Thank you for mentioning this. I'm glad I'm not the only one.

I also have only SHA256 signed certificates and the TLS negotiation does not use MD5 either. Added info in case it helps diagnose the issue. These are server side log entries.
OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017


A scan of all my certificates using the openssl check shows they all are SHA256:
Signature Algorithm: sha256WithRSAEncryption (repeated for every certificate I have)

The logs show the TLS negotation isn't using MD5 either.
library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA

However, I get the MD5 warning on my newly updated client

I sent a certificate to antonio so he can check

Android app just got updated. So far I have not seen any warnings again using the updated app.

Fixed for me on android 7 after downloading new app update today.

iank wrote: ↑

Fri Dec 22, 2017 7:54 am

Fixed for me on android 7 after downloading new app update today.

Sorry! I thought I was editing my post. Please ignore this reply. I'm new here. Perhaps an admin can delete it.

Got the update and no more false warning, so... FIXED

Glad the upgrade fixed the problem! Thanks you all for your feedback.

I just started getting this. How did you get the update.

I'm on build 1.1.27

1.1.27 is the latest build. Have you checked your certificates? Are you sure the server is not sending you a certificated signed with MD5?

Thanks for the response. How would I check that? By server, I assume you mean my router (Untangle)? Plus, it just started doing this in the last day or so.

By server I mean the host running the OpenVPN server - aka the host you connect to with your OpenVPN Client. It can be the router or it can be a remote machine.

You have to grab the server certificate and run the command explained by dazo in this post: viewtopic.php?f=33&t=25179&start=20#p74121

Thanks. Why did it just start doing this yesterday? There was a new update recently.

Also, I just read his post and unfortunately it doesn't make sense to me. Is there somewhere else I can get guidance? It worked fine until yesterday.

I looked at my log and I think I'm getting a false positive.

As dazo explaine din his post, you need to run the following command on the server certificate and see what you get:
This will tell you what algorithm was used to sign the certificate.

This is the only way to confirm if this is a false positive or not.

Signature Algorithm: sha512WithRSAEncryption

Interesting...this should not happen.
Do you see the pop-up upon *every* connection?