openvpn-gui icon indicating copy to clipboard operation
openvpn-gui copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Latest version 2.4.5 does not connect with VPN servers

Open gjf opened this issue 6 years ago • 16 comments

v.2.4.5 cannot connect to already configured VPN servers with self-signed certificates showing the error like "OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed".

2.4.4 connects OK with the same server settings and ovpn configuration files.

gjf avatar Mar 16 '18 13:03 gjf

2.4.5 is built with openssl 1.1.0 so it will reject weak signature algorithms like MD5 -- If that is the case, the logs will show a line above the one you posted with "VERIFY ERROR: ..... signature digest algorithm too weak"

If so, try to convince the server admin to upgrade the server certificate. No excuse for using MD5 in certificates. If that is not an option you could run with --tls-cipher DEFAULT:@SECLEVEL=0, but its not recommended.

selvanair avatar Mar 16 '18 14:03 selvanair

I am not sure about MD5, anyway - VPN server is working on Asus router and I don't know will it allow to change signature algorithm. tls-cipher DEFAULT:@SECLEVEL=0 works good, thank you.

gjf avatar Mar 17 '18 13:03 gjf

SECLEVEL=0 is only a temporary quick fix -- do not use it as a long-term solution.

selvanair avatar Mar 17 '18 15:03 selvanair

Why?

gjf avatar Mar 17 '18 21:03 gjf

Because MD5 is too weak and that option just makes openssl shut-up and accept broken/weak algorithms . Update the server certificate to use a stronger hash algorithm like sha256. Its easy to do and irresponsible not to.

I wish I had never mentioned SECLEVEL=0.

On Sat, Mar 17, 2018 at 5:00 PM, gjf [email protected] wrote:

Why?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/OpenVPN/openvpn-gui/issues/229#issuecomment-373952267, or mute the thread https://github.com/notifications/unsubscribe-auth/ADzAT2kYAyD941XA28H7wePSEmu7PlS-ks5tfXmHgaJpZM4StxGX .

selvanair avatar Mar 17 '18 21:03 selvanair

I am going to discuss it with firmware developer.

gjf avatar Mar 17 '18 21:03 gjf

@selvanair This is exactly what we need: a short temporary fix, but that's the only solution ATM until we can regenerate our certificates.

Can you please help me set this up?

I'm on openSUSE and i just can't connect to VPN. Where do i set this? I've looked everywhere (except in the right place, naturally)

maverick74 avatar May 23 '18 19:05 maverick74

You add that option to the client config.

selvanair avatar May 23 '18 19:05 selvanair

@selvanair Yes, but where's that? In command Line? on the config file? On NetworkManager?

maverick74 avatar May 24 '18 08:05 maverick74

Let me say this first: working around MD5 certificates is not the right solution -- especially so for someone who has no clue how to add a config option. Get the server admin to update the certificate.

That said, config options can go into the command line or the config file. Front ends like NM have their own way of inputting options and not all options may be supported that way -- but eventually the option has to end up on the command line or the config file of the openvpn process. I've no idea how you are running openvpn on your SUSE desktop. I use Debian and all my configs are text files in /etc/openvpn/ in case that helps.

Anyway, if you are not asking about OpenVPN Windows GUI, this is the wrong place:) Seeking help in the users IRC channel (openvpn on irc.freenode.net) may be more appropriate -- also see https://community.openvpn.net/openvpn/wiki/GettingHelp

selvanair avatar May 24 '18 14:05 selvanair

I understand your concerns and i thank you for your advice! :)

I only asked where/how because i already tried all the steps you talked about before starting to ask for help...

i tried the terminal - that somehow does not allow me to use the command, and adding the config option to the file you mentioned (that in SUSE is in that directory as well). Using NM, i do not find any place i can use to either activate the option or set the command to be used.

That "weird" results are the reason i asked detailed instructions (going to as simple things as even adding the option to the config file). I think i should be humble enough to consider that it i that is doing some small detail wrongly.

That said, i'll try to get around this in irc, then. Thank you for reply & help :)

maverick74 avatar May 24 '18 15:05 maverick74

We do not have any MD5 signed certificates. Would the same error be thrown when the local CA is signed with SHA1, but the client certificate is signed SHA256? I believe the WEBCA forum mentioned this problem over a year ago.

rjt avatar Sep 18 '18 16:09 rjt

SHA1 is considered too weak and has been deprecated as well. SHA256 should be good.

ssameer avatar Oct 06 '18 15:10 ssameer

Hi,

On Sat, Oct 06, 2018 at 08:39:30AM -0700, ssameer wrote:

SHA1 is considered too weak and has been deprecated as well. SHA256 should be good.

For HMAC usage, SHA1 is still fine. Just not for certificates.

Even MD5 hasn't been broken for HMAC.

gert

-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany [email protected]

cron2 avatar Oct 06 '18 20:10 cron2

Actually, the bug in the openvpn is that it output something like

TLS_ERROR: BIO read tls_read_plaintext error

instead of human-readable message about low security of MD5 hashes. This should be fixed.

saur0n avatar Nov 13 '18 13:11 saur0n

If the error is due to weak hash in the certificate, the logs will also show something like: "VERIFY ERROR: ..... signature digest algorithm too weak".

selvanair avatar Nov 13 '18 15:11 selvanair