Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refusal of weak md certificates #1393

Closed
wingman1487 opened this issue Oct 8, 2021 · 5 comments
Closed

Refusal of weak md certificates #1393

wingman1487 opened this issue Oct 8, 2021 · 5 comments

Comments

@wingman1487
Copy link

wingman1487 commented Oct 8, 2021
edited

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version: 11
  2. Android Vendor/Custom ROM: Vendor
  3. Device: Pixel 4 XL
  4. Version of the app (version number/play store version/self-built): 0.7.27

Description of the issue

The last time the VPN worked for me was on 10/05/2021, not sure what changed since then but I am not longer able to make a connection. I have attached the log file but the below lines are what started showing up. I haven't made any changes to the Client or Server until today when doing testing, but the only changes I've made was to delete and re-import the profile. I am connecting to an AsusWRT Merlin device and using the built in OpenVPN server on the router, any help is appreciated!

2021-10-08 16:22:04 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2021-10-08 16:22:04 OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes
2021-10-08 16:22:04 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
2021-10-08 16:22:04 MANAGEMENT: Client disconnected
2021-10-08 16:22:04 Cannot load inline certificate file
2021-10-08 16:22:04 Exiting due to fatal error
2021-10-08 16:22:04 Process exited with exit value 1
@wingman1487
Copy link
Author

While I do understand from the log lines / FAQ that the CA MD cert is too weak, this doesn't seem to be an issue with the OpenVPN Connect app, the same .ovpn file loads and connects just fine with this app. If anyone thinks this might be the issue with the OpenVPN for Android app let me know what/where I can make a change and see if anything changes.

@Str8Ac3s
Copy link

Str8Ac3s commented Oct 9, 2021

In the OpenVPN Android app, select to edit the profile. select Advanced, scroll down until you see Enable Custom Options and tick the box if it is not already ticked. Now click on Custom options and add the following line

--tls-cipher DEFAULT:@SECLEVEL=0

Click OK

This should make it work but is really just a temporary solution

@schwabe
Copy link
Owner

schwabe commented Oct 9, 2021

@wingman1487 The OpenVPN Connect app is only on OpenSSL 1.1.1 and if you look at its log closely you might already see warnings about this. When OpenVPN Connect upgrades to OpenSSL 3.0 in the near future, the problem will be present there as well.

@schwabe schwabe closed this as completed Oct 9, 2021
@schwabe schwabe changed the title VPN no Longer Connecting Since Latest Update Refusal of weak md certificates Oct 9, 2021
@GunbleR
Copy link

GunbleR commented Oct 9, 2021

want to confirm it with you.
im getting the same error, in config:
cipher is aes256-CBC
auth sha256.
should i still get this error?

@schwabe
Copy link
Owner

schwabe commented Oct 9, 2021

Yes. cipher and auth are not related to this error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@schwabe @wingman1487 @GunbleR @Str8Ac3s