Certificate Issues



  • Did 2.3 Default to sign certificates with MD5?

    I'm getting a warning from the new version of OpenVPN Connect for android about TLS certificate signed with MD5.

    How can I display all my certificates to see what is going on?  The certificate manager doesn't seem to show any details.

    I started the process of recreating another certificate just to see what signing algo is used and it seems to default to SHA256.

    How can I troubleshoot… I have CA, Intermediate CA, Server Cert, User Certs... I'd like to know for sure if the problem goes all the way back to the CA, or if it's just a server cert.

    or is it the TLS Key in the cryptographic settings (# 2048 bit OpenVPN static key) that was generated automatically.

    Any advice/assistance is much appreciated.



  • @guardian:

    Did 2.3 Default to sign certificates with MD5?

    I'm in doubt.

    In the cert manager you can find an i(nfo) symbol beside each cert. After a click on it you can see the signature digest.



  • @viragomann:

    @guardian:

    Did 2.3 Default to sign certificates with MD5?

    I'm in doubt.

    In the cert manager you can find an i(nfo) symbol beside each cert. After a click on it you can see the signature digest.

    Thanks for the hint.  I see why you are in doubt.

    So am I, but OpenVPN Connect (v1.1.26-Build 95 Dec 12, 2017) running on on Android 5.1.1 gave me the following message:

    Warning!
    TLS: received certificate signed
    with MD5. Please inform your
    admin to upgrade to stronger
    algorithm. Support for MD5 will be
    dropped the end of Apr 2018

    I wasn't able to check the automatically generated TLS certificate, but when I checked each of the user certs the relevant info was:

    Signature Digest: RSA-SHA512
    EKU: TLS Web Client Authentication

    There is no (i) for the CA, so I don't know exactly what is going on, but after a quick search I found an openssl command to try.

    I the CA/Intermediate CA into stdio for openssl x509 -noout -text and got the following output:

    Primary CA

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 0 (0x0)
        Signature Algorithm: sha512WithRSAEncryption
            Issuer: [REDACTED]
            Validity
                Not Before: May  5 07:15:26 2017 GMT
                Not After : May  3 07:15:26 2027 GMT
            Subject:  [REDACTED]
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (8192 bit)
                    Modulus:
                           [REDACTED]
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                     [REDACTED - 20 Bytes - 40hex digits]
                X509v3 Authority Key Identifier: 
                    keyid:[REDACTED - 20 Bytes - 40hex digits]
                    DirName:[REDACTED]
                    serial:00
    
                X509v3 Basic Constraints: 
                    CA:TRUE
                X509v3 Key Usage: 
                    Certificate Sign, CRL Sign
        Signature Algorithm: sha512WithRSAEncryption
                    [REDACTED - 20 Bytes - 40hex digits]
    
    

    Intermediate CA

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 3 (0x3)
        Signature Algorithm: sha512WithRSAEncryption
            Issuer: [REDACTED]
            Validity
                Not Before: May  5 07:25:42 2017 GMT
                Not After : May  3 07:25:42 2027 GMT
            Subject: [REDACTED]
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (4096 bit)
                    Modulus:
                    [REDACTED]
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                     [REDACTED - 20 Bytes - 40hex digits]
                X509v3 Authority Key Identifier: 
                    keyid: [REDACTED - 20 Bytes - 40hex digits]
                    DirName:[REDACTED]
                    serial:00
    
                X509v3 Basic Constraints: 
                    CA:TRUE
                X509v3 Key Usage: 
                    Certificate Sign, CRL Sign
        Signature Algorithm: sha512WithRSAEncryption
                   [REDACTED]
    
    

    The Key Identifiers are 160bits long, and the signature algo was shs512, which is a far cry from MD5!

    I looked in the OpenVPN Connect log (can't copy/paste or otherwise copy it) and I see two certificates being verified (and they indicate they are  signed using RSA/SHA512 (4096 bits)).

    Then I get the following lines: (Transcribed manually)

    SSL Handshake TLSv1.2/TLS-ECDHE-RSA-WITH-AES256-GCM-SHA384
    Session is ACTIVE
    EVENT: WARN info 'TLS: received certificate signed with MD5. Please inform your…

    From the log, the server key and user keys are both RSA/SHA512 (4096 bits)), so the problem is either the 2048 bit automatically generated TLS key (which I don't know how to check), the android app or something else I haven't thought of.

    Any suggestions?  Have I found an OpenVPN bug, an android problem or what?



  • The problem must have been with the android client.  There was an update awhile back, and I just thought to check, and the problem is gone.



  • I have the same problem with openvpn connect 1.1.27 on android and openvpn 1.2.9 0 (iOS 64-bit) both latest versions.
    I cannot understand what is md5 signed but I am worried april is round the corner.




  • I still cannot figure if it is a mistake of the cli version or if my openvpn connection is going to stop working



  • I'm also using OpenVPN Connect 1.2.9 build 0 (iOS 64-bit) and there's no problem like that.


Log in to reply