Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: ReetP on June 15, 2020, 05:25:51 PM

Title: PHPKI / MD5 certs / OpenVPN connection issue
Post by: ReetP on June 15, 2020, 05:25:51 PM

This is for users with certificates generated by the current PHPKI contrib for OpenVPN connections via mobiles.

Over the weekend OpenVPN upgraded their iPhone connect app from 3.1.1 to 3.2.0

As a result my iPhondle users could no longer connect with an error:

Quote

There was an error attempting to connect to the selected server
Error message: parser_cert_crl_error ca cert/crl content ended unexpectedly without end marker

The phone was making no attempt to connect.

Android seemed OK.

However, when I upgraded to the Android Beta app and it occurs there immediately after upgrading.

I opened this bug which they then tried to tell me I had spaces in my config file, which is several types of nonsense in one go.

https://community.openvpn.net/openvpn/ticket/1292

After some digging around and testing it appears from what I can tell that they have deprecated MD5 based certificates overnight. They had warned that they would do, though why right now I have no idea, apart from wanting to piss off a load of users.

No warnings, no mercy, no chance of regressing for a bit. No patience for lots of remote workers in a pandemic. Nothing. Not even an admission at the time of writing, though I expect they'll come up with some excuse in due course.

I have subsequently tested this on certificates generated by the new version of PHPKI that I have built that uses SHA1 instead of MD5.

The bad news is that you will have remove ALL your old PHPKI setup, install fresh and regenerate ALL of your configs, which in my case means that I also need to generate new certificates for all my router-router VPNs as well. I had got it pencilled in for when I upgraded to v10......

I expect the new Android version will be out shortly which will break any Android handsets.

Sometimes I really wonder about some developers.

Title: Re: PHPKI / MD5 certs / OpenVPN connection issue
Post by: TerryF on June 16, 2020, 05:34:58 AM

ah mate if nothing shit itself regualrly what would you do with the spare time :-) yes I know go to the maldives, that can wait :-)

Title: Re: PHPKI / MD5 certs / OpenVPN connection issue
Post by: ReetP on June 16, 2020, 10:37:21 AM

Ha..... holiday? I dream of a holiday.

Title: Re: PHPKI / MD5 certs / OpenVPN connection issue
Post by: ReetP on June 16, 2020, 10:38:52 AM

Note I am waiting to see if they come up with a resolution, but based on my testing it seems the most likely scenario so far.

I'll post back if I here more

Title: Re: PHPKI / MD5 certs / OpenVPN connection issue
Post by: ReetP on June 16, 2020, 11:56:55 PM

Bloody hell!!!!!!

It appears that somehow somewhere an extra hyphen got added to the certificate string:

Quote

The end line
-----END CERTIFICATE------

should be
-----END CERTIFICATE-----

mbed TLS does not seem to care but this is not valid.

The old system didn't care. The updated app does.

Note that they will completely deprecate MD5 certs in openvpn v3.0 so you should be looking at the new PHPKI.