Config.file Issue IOS only - version 1.2.5 build1

[jochenthomas]

Hi,
below you can find my config file which I wanted to use with version 1.2.5 build1.
The config is working fine on Android or Windows devices/clients but not with OpenVPN Connect on an IOS device.

Please can you let me know what's wrong here?
Error: crypto_alg: RSA-SHA512: not found
Even switching to SHA256 or SHA1 did not the magic...

Code: Select all

client
dev tun
proto tcp-client
remote abc.com 1195
float
ncp-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth RSA-SHA512
compress lz4
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxx
-----END ENCRYPTED PRIVATE KEY-----

</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-crypt>
resolv-retry infinite
nobind

Thanks for any recommendation.

[jochenthomas]

BTW: after deleting "auth RSA-SHA512" for testing, I was at least able to import the ovpn file.
But than I got this:

Code: Select all

OpenVPN core 3.1.2 ios arm64 64-bit built on Jan 5 2018 23:09:59
2018-01-13 00:00:18 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-13 00:00:18 EVENT: CORE_ERROR mbed TLS: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]​

Maybe this helps for giving any advice.

[ahwilson712]

+1 on encountering this issue. Just verified that functionality on a previous version (1.1.1 build 212) works fine.

[anatoli]

I remember having issues with 'RSA-*' before. Have you tried just 'auth SHA512'?

[ordex]

RSA-SHA* should not be really supported by OpenVPN. We have always used SHA* (without the RSA in front).
However that string is passed to the crypto library, therefore we can't exclude that OpenSSL behaves differently from mbedTLS.

Still, we really just use SHA*.

About the PKCS5 error: that is due to mbedTLS not supporting some particular key encryption schema.
We have opened an issed with mbedTLS and we are waiting for them to accept our patch. In the meantime you can re-encrypt your key with default settings (using openssl from the commandline) and that should create a key that mbedTLS can also decrypt.

[jochenthomas]

Hi,
OK understood and thanks for pointing me to the best direction - will try on Monday and let you know.