Certificate Issues
-
Did 2.3 Default to sign certificates with MD5?
I'm getting a warning from the new version of OpenVPN Connect for android about TLS certificate signed with MD5.
How can I display all my certificates to see what is going on? The certificate manager doesn't seem to show any details.
I started the process of recreating another certificate just to see what signing algo is used and it seems to default to SHA256.
How can I troubleshoot… I have CA, Intermediate CA, Server Cert, User Certs... I'd like to know for sure if the problem goes all the way back to the CA, or if it's just a server cert.
or is it the TLS Key in the cryptographic settings (# 2048 bit OpenVPN static key) that was generated automatically.
Any advice/assistance is much appreciated.
-
Did 2.3 Default to sign certificates with MD5?
I'm in doubt.
In the cert manager you can find an i(nfo) symbol beside each cert. After a click on it you can see the signature digest.
-
Did 2.3 Default to sign certificates with MD5?
I'm in doubt.
In the cert manager you can find an i(nfo) symbol beside each cert. After a click on it you can see the signature digest.
Thanks for the hint. I see why you are in doubt.
So am I, but OpenVPN Connect (v1.1.26-Build 95 Dec 12, 2017) running on on Android 5.1.1 gave me the following message:
Warning!
TLS: received certificate signed
with MD5. Please inform your
admin to upgrade to stronger
algorithm. Support for MD5 will be
dropped the end of Apr 2018
I wasn't able to check the automatically generated TLS certificate, but when I checked each of the user certs the relevant info was:Signature Digest: RSA-SHA512
EKU: TLS Web Client AuthenticationThere is no (i) for the CA, so I don't know exactly what is going on, but after a quick search I found an openssl command to try.
I the CA/Intermediate CA into stdio for openssl x509 -noout -text and got the following output:
Primary CA
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha512WithRSAEncryption Issuer: [REDACTED] Validity Not Before: May 5 07:15:26 2017 GMT Not After : May 3 07:15:26 2027 GMT Subject: [REDACTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (8192 bit) Modulus: [REDACTED] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: [REDACTED - 20 Bytes - 40hex digits] X509v3 Authority Key Identifier: keyid:[REDACTED - 20 Bytes - 40hex digits] DirName:[REDACTED] serial:00 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha512WithRSAEncryption [REDACTED - 20 Bytes - 40hex digits]
Intermediate CA
Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: sha512WithRSAEncryption Issuer: [REDACTED] Validity Not Before: May 5 07:25:42 2017 GMT Not After : May 3 07:25:42 2027 GMT Subject: [REDACTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: [REDACTED] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: [REDACTED - 20 Bytes - 40hex digits] X509v3 Authority Key Identifier: keyid: [REDACTED - 20 Bytes - 40hex digits] DirName:[REDACTED] serial:00 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha512WithRSAEncryption [REDACTED]
The Key Identifiers are 160bits long, and the signature algo was shs512, which is a far cry from MD5!
I looked in the OpenVPN Connect log (can't copy/paste or otherwise copy it) and I see two certificates being verified (and they indicate they are signed using RSA/SHA512 (4096 bits)).
Then I get the following lines: (Transcribed manually)
SSL Handshake TLSv1.2/TLS-ECDHE-RSA-WITH-AES256-GCM-SHA384
Session is ACTIVE
EVENT: WARN info 'TLS: received certificate signed with MD5. Please inform your…From the log, the server key and user keys are both RSA/SHA512 (4096 bits)), so the problem is either the 2048 bit automatically generated TLS key (which I don't know how to check), the android app or something else I haven't thought of.
Any suggestions? Have I found an OpenVPN bug, an android problem or what?
-
The problem must have been with the android client. There was an update awhile back, and I just thought to check, and the problem is gone.
-
I have the same problem with openvpn connect 1.1.27 on android and openvpn 1.2.9 0 (iOS 64-bit) both latest versions.
I cannot understand what is md5 signed but I am worried april is round the corner.
-
I still cannot figure if it is a mistake of the cli version or if my openvpn connection is going to stop working
-
I'm also using OpenVPN Connect 1.2.9 build 0 (iOS 64-bit) and there's no problem like that.