How to change the cipher suite that OpenVPN connect uses on iOS
Posted: Fri Dec 17, 2021 1:50 am
Hi,
I'm using OpenVPN to connect to a remote router via OpenVPN Connect for iOS. I want OpenVPN Connect on my iPhone to use SHA1 instead of SHA384 for the SSL handshake because my OpenVPN server is configured to use SHA1 for this. What do I set in the client .ovpn configuration file to make this possible?
The client logs are showing that my iPhone is trying to use SHA384 for the SSL handshake.
Here is the client configuration file for my iPhone:
What do I set in the client .ovpn configuration file to get the client to use SHA1 for the SSL handshake instead of SHA384?
Thank you,
James Pedersen
I'm using OpenVPN to connect to a remote router via OpenVPN Connect for iOS. I want OpenVPN Connect on my iPhone to use SHA1 instead of SHA384 for the SSL handshake because my OpenVPN server is configured to use SHA1 for this. What do I set in the client .ovpn configuration file to make this possible?
The client logs are showing that my iPhone is trying to use SHA384 for the SSL handshake.
Code: Select all
2021-12-16 17:21:11 1
2021-12-16 17:21:11 ----- OpenVPN Start -----
OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-12-16 17:21:11 OpenVPN core 3.git::58b92569 ios arm64 64-bit
2021-12-16 17:21:11 Frame=512/2048/512 mssfix-ctrl=1250
2021-12-16 17:21:11 UNUSED OPTIONS
0 [persist-tun]
1 [persist-key]
2 [data-ciphers] [AES-256-GCM:AES-128-GCM:AES-128-CBC]
3 [data-ciphers-fallback] [AES-128-CBC]
5 [tls-client]
8 [verify-x509-name] [router.pl.bugfocus.com] [name]
11 [explicit-exit-notify]
12 [pull-filter] [ignore] [NTP 10.1.0.1]
13 [pull-filter] [ignore] [dhcp-option NTP 10.1.0.1]
14 [pull-filter] [ignore] [DNS 10.1.0.1]
15 [pull-filter] [ignore] [dhcp-option DNS 10.1.0.1]
16 [DNS] [8.8.8.8]
17 [NTP] [0.pfsense.pool.ntp.org]
18 [NTP] [1.pfsense.pool.ntp.org]
20 [tls-cipher] [TLS_DH_RSA_WITH_AES_256_CBC_SHA]
2021-12-16 17:21:11 EVENT: RESOLVE
2021-12-16 17:21:11 Contacting [<ROUTER_IPV6>]:1194/UDP via UDP
2021-12-16 17:21:11 EVENT: WAIT
2021-12-16 17:21:11 Connecting to [<ROUTER_IPV4>]:1194 (<ROUTER_IPV6>) via UDPv6
2021-12-16 17:21:12 EVENT: CONNECTING
2021-12-16 17:21:12 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2021-12-16 17:21:12 Creds: Username/Password
2021-12-16 17:21:12 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_BS64DL=1
2021-12-16 17:21:12 VERIFY OK: depth=1, /C=US/ST=California/L=San Bruno/O=Acme, Inc/emailAddress=test@acme.com/CN=internal-ca
2021-12-16 17:21:12 VERIFY OK: depth=0, /C=US/ST=California/L=San Bruno/O=Acme\, Inc/emailAddress=test@acme.com/CN=router.acme.com
2021-12-16 17:21:12 SSL Handshake: CN=router.pl.bugfocus.com, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
.....
Code: Select all
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-128-CBC
auth SHA1
tls-client
client
remote <ROUTER_PUBLIC_IPv4> 1194 udp4
verify-x509-name "router.acme.com" name
auth-user-pass
remote-cert-tls server
explicit-exit-notify
pull-filter ignore "NTP 10.1.0.1"
pull-filter ignore "dhcp-option NTP 10.1.0.1"
pull-filter ignore "DNS 10.1.0.1"
pull-filter ignore "dhcp-option DNS 10.1.0.1"
DNS 8.8.8.8
NTP 0.pfsense.pool.ntp.org
NTP 1.pfsense.pool.ntp.org
reneg-sec 100
tls-cipher "TLS_DH_RSA_WITH_AES_256_CBC_SHA"
<ca>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
REDACTED
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REDACTED
-----END OpenVPN Static key V1-----
</tls-auth>
Thank you,
James Pedersen