search

schwabe / ics-openvpn

OpenVPN for Android
3.31k stars 1.19k forks source link

[0.7.26] [NPE] java.lang.String de.blinkt.openvpn.VpnProfile.mName #1381

Closed rprimus closed 2 years ago

rprimus commented 2 years ago

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version
  2. Fire OS 5.2.8.2 (668700720)
  3. Amazon FireTV Stick 2
  4. 0.7.26 (plai.de)

Description of the issue

Ref: https://airvpn.org/forums/topic/49811-urgent-cant-connect-to-vpn-anymore-on-openvpn-for-android-0725/ Initially getting error:

07:19 OpenSSL: error:0A00018E:SSL routines::ca md too weak

Installed the new CA (provided in the link above), stopped app, cleared cache, restarted app, however, same error. New CA: Signature Algorithm: sha512WithRSAEncryption

Note: The above is what prompted me to check the logcat. I have verified that the embedded client cert has signature sha1WithRSAEncryption, which is causing the above error(as per https://github.com/schwabe/ics-openvpn/issues/1374#issuecomment-935944072.

Am just reporting the NPE.

Checked logcat and get the following:

logcat snippet: --------- beginning of crash E/AndroidRuntime( 3664): FATAL EXCEPTION: main E/AndroidRuntime( 3664): Process: de.blinkt.openvpn:openvpn, PID: 3664 E/AndroidRuntime( 3664): java.lang.NullPointerException: Attempt to read from field 'java.lang.String de.blinkt.openvpn.VpnProfile.mName' on a null object reference E/AndroidRuntime( 3664): at de.blinkt.openvpn.core.OpenVPNService$2.run(OpenVPNService.java:330) E/AndroidRuntime( 3664): at android.os.Handler.handleCallback(Handler.java:739) E/AndroidRuntime( 3664): at android.os.Handler.dispatchMessage(Handler.java:95) E/AndroidRuntime( 3664): at android.os.Looper.loop(Looper.java:135) E/AndroidRuntime( 3664): at android.app.ActivityThread.main(ActivityThread.java:5604) E/AndroidRuntime( 3664): at java.lang.reflect.Method.invoke(Native Method) E/AndroidRuntime( 3664): at java.lang.reflect.Method.invoke(Method.java:372) E/AndroidRuntime( 3664): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:984) E/AndroidRuntime( 3664): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:779) E/AndroidRuntime( 3952): FATAL EXCEPTION: main

ovpn-error.log

schwabe commented 2 years ago

Are you sure that the logcat snippet is from 0.7.26 and not 0.7.25?

The code had a bug in 0.7.25 but in 0.7.26 it is:

                String name;
                if (mProfile != null)
                    name = mProfile.mName;
                else
                    name = "OpenVPN";

Not sure how the last line should have a null pointer.

schwabe commented 2 years ago

As for the CA. OpenSSL might also be upset by the CA sent by the server and not just the one used in the profile itself. Since AirVPN is a commercial VPN provider, I don't have any pity with them. They should have moved to sha256/sha512 years ago. OpenSSL 3.0 now just calls them out.

rprimus commented 2 years ago

Thu Oct 7 09:27:39 BST 2021

Hi @schwabe ,

Are you sure that the logcat snippet is from 0.7.26 and not 0.7.25?

You're right - I didn't reboot after installing 0.7.26. There are no errors after a reboot.

Apologies for the wasted cycles.

rprimus commented 2 years ago

Thu Oct 7 14:43:46 BST 2021

They should have moved to sha256/sha512 years ago.

@schwabe - They did! It was my fault - see below.

Since 2017, our system generates CRT signed with SHA512 algorithm. Previously they were signed with SHA1.

you have a client CRT (user.crt) dated 2015. You and anybody else using pre-2017 user certificates: please go to your "Client Area" > "Devices" menu, renew your cert/key pair, re-download your OVPN configuration files from the Configuration Generator, use them and you will be fine. (*) The problem has never been caused by the CA certificate.

schwabe commented 2 years ago

The OpenSSL error message about the CA md being weak disagrees with their statement :D But if they fixed it already then all is good.