OpenVPN Connect 3.4.0 (5457) - Issues
Posted: Mon Oct 16, 2023 8:13 pm
Like many others, we've been bitten by the the 3.4.0 iOS app update.
We use .mobileconfig files to deploy profiles to our users. It deploys misc. settings and the OpenVPN connection settings.
We received error message: "You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm."
We created a new .mobileconfig with an embedded CA signature using the option "default_md = sha256" in ca-sign.cnf. Unfortunately, that didn't help. It created a new error message: "Peer certificate verification failed." We're guessing because the CA certificate on the server is not SHA256 signed. Note, the native iOS Settings identified the VPN profile correctly with a signature of "SHA-256 with RSA Encryption" vs. the original "SHA-1 with RSA Encryption". Thankfully, configuring the iOS OpenVPN Connect app to "Insecure" allowed it to connect.. Then, in the OpenVPN Connect app log, it correctly verified the CA signature and the embedded company name, e-mail, etc., with "VERIFY OK". It displayed the warning of "...SHA1 signature will be dropped in the future." as expected.
Second problem. We received error message: "option_error: Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode." Looks like it's based on this discussion. https://github.com/OpenVPN/openvpn3-linux/issues/160
Thank goodness this link had some helpful hints on how to tweak the .mobileconfig to include "client". Otherwise, we had no idea the iOS config required this setting and this change wasn't an apparent requirement for iOS. https://www.derman.com/blogs/iOS-OpenVPN-OnDemand-Setup
We added "<key>client</key> <string>NOARGS</string>" to the .mobileconfig. This resolved the error.
For now, we'll configure the iOS OpenVPN Connect app to "Insecure" and add the "client" string to .mobileconfig. We won't include the "default_md = sha256" signature in the .mobileconfig since it doesn't resolve anything and still requires the "Insecure" setting. All the other encryption and security settings are place, so the VPN is secure. Apparently, the CA signature verification with SHA1 would pose a rare hash collision vulnerability.
We'll need to regenerate thousands of profiles to get everyone connected again.
Hope the above helps others out there.
We use .mobileconfig files to deploy profiles to our users. It deploys misc. settings and the OpenVPN connection settings.
We received error message: "You are using insecure hash algorithm in CA signature. Please regenerate CA with other hash algorithm."
We created a new .mobileconfig with an embedded CA signature using the option "default_md = sha256" in ca-sign.cnf. Unfortunately, that didn't help. It created a new error message: "Peer certificate verification failed." We're guessing because the CA certificate on the server is not SHA256 signed. Note, the native iOS Settings identified the VPN profile correctly with a signature of "SHA-256 with RSA Encryption" vs. the original "SHA-1 with RSA Encryption". Thankfully, configuring the iOS OpenVPN Connect app to "Insecure" allowed it to connect.. Then, in the OpenVPN Connect app log, it correctly verified the CA signature and the embedded company name, e-mail, etc., with "VERIFY OK". It displayed the warning of "...SHA1 signature will be dropped in the future." as expected.
Second problem. We received error message: "option_error: Neither 'client' nor both 'tls-client' and 'pull' options declared. OpenVPN3 client only supports --client mode." Looks like it's based on this discussion. https://github.com/OpenVPN/openvpn3-linux/issues/160
Thank goodness this link had some helpful hints on how to tweak the .mobileconfig to include "client". Otherwise, we had no idea the iOS config required this setting and this change wasn't an apparent requirement for iOS. https://www.derman.com/blogs/iOS-OpenVPN-OnDemand-Setup
We added "<key>client</key> <string>NOARGS</string>" to the .mobileconfig. This resolved the error.
For now, we'll configure the iOS OpenVPN Connect app to "Insecure" and add the "client" string to .mobileconfig. We won't include the "default_md = sha256" signature in the .mobileconfig since it doesn't resolve anything and still requires the "Insecure" setting. All the other encryption and security settings are place, so the VPN is secure. Apparently, the CA signature verification with SHA1 would pose a rare hash collision vulnerability.
We'll need to regenerate thousands of profiles to get everyone connected again.
Hope the above helps others out there.