Leaderboard

I just updated OpenVPN for Android to 0.7.25 (update was released on Oct 4 2021). Android 11, October 2021 security patch. I now can not connect to any AirVPN server anymore using the .ovpn files from the config generator. This is what it shows when I try to connect: OpenSSL: error:0A00018E:SSL rountines::ca md too weak OpenSSL reported a certificate with a weak hash, please the in app FAQ about weak hashes MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file Cannot load inline certificate file Exiting due to fatal error Process exited with exit value 1

I came to the conclusion due to the changelog mentioning: Since a CA cert is also a X.509 cert, since OpenVPN errors out with "ca md too weak" and since OpenSSL puts out this line if read with -text: I made an educated guess that it must be this. Even though it may be nonsensical when we look at CA certs. Because, where else may that be coming from? The <cert> is sha512WithRSAEncryption. I've also looked into possible options/switches to suppress this check until a more general solution is available. So far I only stumbled upon a compiler flag for OpenSSL 3 disabling this behavior altogether, but it may be useful in other use cases; probably too much collateral damage. And OpenVPN itself simply invokes OpenSSL to do its checks, the logs outline it quite clearly. Probably nothing anyone can do with a quick OpenVPN directive, either. And to lower the security level… don't know if you can do that. I found --tls-cert-profile directive in the OpenVPN manual but it mentions 1 being the lowest security level, already called "legacy"…

Hello! Signature of a root CA certificate is there only as a dummy one, and the verification of a CA certificate is not based on any signature, obviously. So, there is no security hazard coming from the signature algorithm of a root CA certificate. Anyway if the source of the problem is the one you mention we will plan some solution to have OpenVPN for Android compatible again. It will take some time, so you might consider to run Eddie Android edition 2.4 or 2.5 alpha in the meantime. "The purpose of the signature in a certificate chain is that a higher authority certifies a lower authority. For a root CA, there is no higher authority by definition (that's what "root" means), so there is nobody who could possibly sign the certificate. Since, as was mentioned, certificates must be signed, root CAs are signed with a "dummy" signature, and the simplest way to do that, is to self-sign. So, not only is there no need to verify, the very idea of verifying the signature of a root CA is non-sensical." Jörg W Mittag, in https://serverfault.com/questions/837994/why-are-ca-root-certificates-all-sha-1-signed-since-sha-1-is-deprecated Kind regards

Not necessary, I think. It really looks like AirVPN's CA cert must be reissued with a stronger hashing algorithm. It's the only permanent solution.

Puzzling. Closest I could find is that the project switched to OpenSSL 3.0 which seems to deem any certs signed with SHA1 as weak now. But the only certs signed with SHA1 on AirVPN are old ones which you can't even generate nowadays. For a closer look one needs the whole log from the app. Eh, no, this is the problem. The certificate is SHA512, the CA actually is SHA1. So it's definitely something AirVPN should look into.

Add all possible IPs ebay-kleinanzeigen.de resolves to as exceptions. In Eddie in Preferences > Routes, in vanilla OpenVPN via multiple route directives, one for each IP (or simply the whole network, depends). route <IP> <netmask> net_gateway .