schwabe
commented
2 years ago 2022-01-23 19:36:53 OpenSSL: error:0A00018E:SSL routines::ca md too weak 2022-01-23 19:36:53 OpenSSL reported a certificate with a weak hash, please see the in app FAQ about weak hashes.
Yes, this is an behaviour change but it is an intended one and it is OpenSSL 3.0.0 that changed the behaviour. You have to enable insecure TLS certificate level in auth/encryption setting of the profile.
OpenVPN Connect still uses OpenSSL 1.1.1. But when OpenVPN connect changes to OpenSSL 3.0.0 you will see the same behaviour there.
To make issues more manageable, I would appreciate it if you fill out the following details as applicable:
General information
Description of the issue
Config file error during processing after 7.25 was working in prior releases. Also working with 'OpenVpn connect'
Log (if applicable)
022-01-23 19:36:28 official build 0.7.33 running on samsung SM-G930F (universal8890), Android 8.0.0 (R16NW) API 26, ABI arm64-v8a, (samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXU8ETI2:user/release-keys) 2022-01-23 19:36:52 Building configuration… 2022-01-23 19:36:52 started Socket Thread 2022-01-23 19:36:52 Network Status: CONNECTED LTE to MOBILE telenetwap.be 2022-01-23 19:36:52 Debug state info: CONNECTED LTE to MOBILE telenetwap.be, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 2022-01-23 19:36:52 Debug state info: CONNECTED LTE to MOBILE telenetwap.be, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 2022-01-23 19:36:52 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-01-23 19:36:52 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 2022-01-23 19:36:52 Current Parameter Settings: 2022-01-23 19:36:52 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf' 2022-01-23 19:36:52 mode = 0 2022-01-23 19:36:52 show_ciphers = DISABLED 2022-01-23 19:36:52 show_digests = DISABLED 2022-01-23 19:36:52 show_engines = DISABLED 2022-01-23 19:36:52 genkey = DISABLED 2022-01-23 19:36:52 genkey_filename = '[UNDEF]' 2022-01-23 19:36:52 key_pass_file = '[UNDEF]' 2022-01-23 19:36:52 show_tls_ciphers = DISABLED 2022-01-23 19:36:52 connect_retry_max = 0 2022-01-23 19:36:52 Connection profiles [0]: 2022-01-23 19:36:52 proto = tcp-client 2022-01-23 19:36:52 local = '[UNDEF]' 2022-01-23 19:36:52 local_port = '[UNDEF]' 2022-01-23 19:36:52 remote = 'X.Y.Z.W' 2022-01-23 19:36:52 remote_port = '1194' 2022-01-23 19:36:52 remote_float = ENABLED 2022-01-23 19:36:52 bind_defined = DISABLED 2022-01-23 19:36:52 bind_local = DISABLED 2022-01-23 19:36:52 bind_ipv6_only = DISABLED 2022-01-23 19:36:52 connect_retry_seconds = 2 2022-01-23 19:36:52 connect_timeout = 120 2022-01-23 19:36:52 socks_proxy_server = '[UNDEF]' 2022-01-23 19:36:52 socks_proxy_port = '[UNDEF]' 2022-01-23 19:36:52 tun_mtu = 1500 2022-01-23 19:36:52 tun_mtu_defined = ENABLED 2022-01-23 19:36:52 link_mtu = 1500 2022-01-23 19:36:52 link_mtu_defined = DISABLED 2022-01-23 19:36:52 tun_mtu_extra = 0 2022-01-23 19:36:52 tun_mtu_extra_defined = DISABLED 2022-01-23 19:36:52 mtu_discover_type = -1 2022-01-23 19:36:52 fragment = 0 2022-01-23 19:36:52 mssfix = 1492 2022-01-23 19:36:52 mssfix_encap = ENABLED 2022-01-23 19:36:52 explicit_exit_notification = 0 2022-01-23 19:36:52 tls_auth_file = '[UNDEF]' 2022-01-23 19:36:52 key_direction = not set 2022-01-23 19:36:52 tls_crypt_file = '[UNDEF]' 2022-01-23 19:36:52 tls_crypt_v2_file = '[UNDEF]' 2022-01-23 19:36:52 Connection profiles END 2022-01-23 19:36:52 remote_random = DISABLED 2022-01-23 19:36:52 ipchange = '[UNDEF]' 2022-01-23 19:36:52 dev = 'tun' 2022-01-23 19:36:52 dev_type = '[UNDEF]' 2022-01-23 19:36:52 dev_node = '[UNDEF]' 2022-01-23 19:36:52 lladdr = '[UNDEF]' 2022-01-23 19:36:52 topology = 1 2022-01-23 19:36:52 ifconfig_local = '[UNDEF]' 2022-01-23 19:36:52 ifconfig_remote_netmask = '[UNDEF]' 2022-01-23 19:36:52 ifconfig_noexec = DISABLED 2022-01-23 19:36:52 ifconfig_nowarn = ENABLED 2022-01-23 19:36:52 ifconfig_ipv6_local = '[UNDEF]' 2022-01-23 19:36:52 ifconfig_ipv6_netbits = 0 2022-01-23 19:36:52 ifconfig_ipv6_remote = '[UNDEF]' 2022-01-23 19:36:52 shaper = 0 2022-01-23 19:36:52 mtu_test = 0 2022-01-23 19:36:52 mlock = DISABLED 2022-01-23 19:36:52 keepalive_ping = 10 2022-01-23 19:36:52 keepalive_timeout = 30 2022-01-23 19:36:52 inactivity_timeout = 0 2022-01-23 19:36:52 ping_send_timeout = 10 2022-01-23 19:36:52 ping_rec_timeout = 30 2022-01-23 19:36:52 ping_rec_timeout_action = 2 2022-01-23 19:36:52 ping_timer_remote = DISABLED 2022-01-23 19:36:52 remap_sigusr1 = 0 2022-01-23 19:36:52 persist_tun = DISABLED 2022-01-23 19:36:52 persist_local_ip = DISABLED 2022-01-23 19:36:52 persist_remote_ip = DISABLED 2022-01-23 19:36:52 persist_key = DISABLED 2022-01-23 19:36:52 passtos = DISABLED 2022-01-23 19:36:52 resolve_retry_seconds = 60 2022-01-23 19:36:52 resolve_in_advance = DISABLED 2022-01-23 19:36:52 username = '[UNDEF]' 2022-01-23 19:36:52 groupname = '[UNDEF]' 2022-01-23 19:36:52 chroot_dir = '[UNDEF]' 2022-01-23 19:36:52 cd_dir = '[UNDEF]' 2022-01-23 19:36:52 writepid = '[UNDEF]' 2022-01-23 19:36:52 up_script = '[UNDEF]' 2022-01-23 19:36:52 down_script = '[UNDEF]' 2022-01-23 19:36:52 down_pre = DISABLED 2022-01-23 19:36:52 up_restart = DISABLED 2022-01-23 19:36:52 up_delay = DISABLED 2022-01-23 19:36:52 daemon = DISABLED 2022-01-23 19:36:52 log = DISABLED 2022-01-23 19:36:52 suppress_timestamps = DISABLED 2022-01-23 19:36:52 machine_readable_output = ENABLED 2022-01-23 19:36:52 nice = 0 2022-01-23 19:36:52 verbosity = 4 2022-01-23 19:36:52 mute = 0 2022-01-23 19:36:52 gremlin = 0 2022-01-23 19:36:52 status_file = '[UNDEF]' 2022-01-23 19:36:52 status_file_version = 1 2022-01-23 19:36:52 status_file_update_freq = 60 2022-01-23 19:36:52 occ = ENABLED 2022-01-23 19:36:52 rcvbuf = 0 2022-01-23 19:36:52 sndbuf = 0 2022-01-23 19:36:52 sockflags = 0 2022-01-23 19:36:52 fast_io = DISABLED 2022-01-23 19:36:52 comp.alg = 2 2022-01-23 19:36:52 comp.flags = 1 2022-01-23 19:36:52 route_script = '[UNDEF]' 2022-01-23 19:36:52 route_default_gateway = '[UNDEF]' 2022-01-23 19:36:52 route_default_metric = 0 2022-01-23 19:36:52 route_noexec = DISABLED 2022-01-23 19:36:52 route_delay = 0 2022-01-23 19:36:52 route_delay_window = 30 2022-01-23 19:36:52 route_delay_defined = DISABLED 2022-01-23 19:36:52 route_nopull = DISABLED 2022-01-23 19:36:52 route_gateway_via_dhcp = DISABLED 2022-01-23 19:36:52 allow_pull_fqdn = DISABLED 2022-01-23 19:36:52 management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket' 2022-01-23 19:36:52 management_port = 'unix' 2022-01-23 19:36:52 management_user_pass = '[UNDEF]' 2022-01-23 19:36:52 management_log_history_cache = 250 2022-01-23 19:36:52 management_echo_buffer_size = 100 2022-01-23 19:36:52 management_write_peer_info_file = '[UNDEF]' 2022-01-23 19:36:52 management_client_user = '[UNDEF]' 2022-01-23 19:36:52 management_client_group = '[UNDEF]' 2022-01-23 19:36:52 management_flags = 16678 2022-01-23 19:36:52 shared_secret_file = '[UNDEF]' 2022-01-23 19:36:52 key_direction = not set 2022-01-23 19:36:52 ciphername = 'AES-128-CBC' 2022-01-23 19:36:52 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305' 2022-01-23 19:36:52 authname = 'SHA1' 2022-01-23 19:36:52 engine = DISABLED 2022-01-23 19:36:52 replay = ENABLED 2022-01-23 19:36:52 mute_replay_warnings = DISABLED 2022-01-23 19:36:52 replay_window = 64 2022-01-23 19:36:52 replay_time = 15 2022-01-23 19:36:52 packet_id_file = '[UNDEF]' 2022-01-23 19:36:52 test_crypto = DISABLED 2022-01-23 19:36:52 tls_server = DISABLED 2022-01-23 19:36:52 tls_client = ENABLED 2022-01-23 19:36:52 ca_file = '[INLINE]' 2022-01-23 19:36:52 ca_path = '[UNDEF]' 2022-01-23 19:36:52 dh_file = '[UNDEF]' 2022-01-23 19:36:52 cert_file = '[INLINE]' 2022-01-23 19:36:52 extra_certs_file = '[UNDEF]' 2022-01-23 19:36:52 priv_key_file = '[INLINE]' 2022-01-23 19:36:52 pkcs12_file = '[UNDEF]' 2022-01-23 19:36:52 cipher_list = '[UNDEF]' 2022-01-23 19:36:52 cipher_list_tls13 = '[UNDEF]' 2022-01-23 19:36:52 tls_cert_profile = '[UNDEF]' 2022-01-23 19:36:52 tls_verify = '[UNDEF]' 2022-01-23 19:36:52 tls_export_cert = '[UNDEF]' 2022-01-23 19:36:52 verify_x509_type = 0 2022-01-23 19:36:52 verify_x509_name = '[UNDEF]' 2022-01-23 19:36:52 crl_file = '[UNDEF]' 2022-01-23 19:36:52 ns_cert_type = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 65535 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 Waiting 0s seconds between connection attempt 2022-01-23 19:36:52 remote_cert_ku[i] = 0 2022-01-23 19:36:52 remote_cert_eku = 'TLS Web Server Authentication' 2022-01-23 19:36:52 ssl_flags = 192 2022-01-23 19:36:52 tls_timeout = 2 2022-01-23 19:36:52 renegotiate_bytes = -1 2022-01-23 19:36:52 renegotiate_packets = 0 2022-01-23 19:36:52 renegotiate_seconds = 3600 2022-01-23 19:36:52 handshake_window = 60 2022-01-23 19:36:52 transition_window = 3600 2022-01-23 19:36:52 single_session = DISABLED 2022-01-23 19:36:52 push_peer_info = DISABLED 2022-01-23 19:36:52 tls_exit = DISABLED 2022-01-23 19:36:52 tls_crypt_v2_metadata = '[UNDEF]' 2022-01-23 19:36:52 server_network = 0.0.0.0 2022-01-23 19:36:52 server_netmask = 0.0.0.0 2022-01-23 19:36:52 server_network_ipv6 = :: 2022-01-23 19:36:52 server_netbits_ipv6 = 0 2022-01-23 19:36:52 server_bridge_ip = 0.0.0.0 2022-01-23 19:36:52 server_bridge_netmask = 0.0.0.0 2022-01-23 19:36:52 server_bridge_pool_start = 0.0.0.0 2022-01-23 19:36:52 server_bridge_pool_end = 0.0.0.0 2022-01-23 19:36:52 ifconfig_pool_defined = DISABLED 2022-01-23 19:36:52 ifconfig_pool_start = 0.0.0.0 2022-01-23 19:36:52 ifconfig_pool_end = 0.0.0.0 2022-01-23 19:36:52 ifconfig_pool_netmask = 0.0.0.0 2022-01-23 19:36:52 ifconfig_pool_persist_filename = '[UNDEF]' 2022-01-23 19:36:52 ifconfig_pool_persist_refresh_freq = 600 2022-01-23 19:36:52 ifconfig_ipv6_pool_defined = DISABLED 2022-01-23 19:36:52 ifconfig_ipv6_pool_base = :: 2022-01-23 19:36:52 ifconfig_ipv6_pool_netbits = 0 2022-01-23 19:36:52 n_bcast_buf = 256 2022-01-23 19:36:52 tcp_queue_limit = 64 2022-01-23 19:36:52 real_hash_size = 256 2022-01-23 19:36:52 virtual_hash_size = 256 2022-01-23 19:36:52 client_connect_script = '[UNDEF]' 2022-01-23 19:36:52 learn_address_script = '[UNDEF]' 2022-01-23 19:36:52 client_disconnect_script = '[UNDEF]' 2022-01-23 19:36:52 client_config_dir = '[UNDEF]' 2022-01-23 19:36:52 ccd_exclusive = DISABLED 2022-01-23 19:36:52 tmp_dir = '/data/data/de.blinkt.openvpn/cache' 2022-01-23 19:36:52 push_ifconfig_defined = DISABLED 2022-01-23 19:36:52 push_ifconfig_local = 0.0.0.0 2022-01-23 19:36:52 push_ifconfig_remote_netmask = 0.0.0.0 2022-01-23 19:36:52 push_ifconfig_ipv6_defined = DISABLED 2022-01-23 19:36:52 push_ifconfig_ipv6_local = ::/0 2022-01-23 19:36:52 push_ifconfig_ipv6_remote = :: 2022-01-23 19:36:52 enable_c2c = DISABLED 2022-01-23 19:36:52 duplicate_cn = DISABLED 2022-01-23 19:36:52 cf_max = 0 2022-01-23 19:36:52 cf_per = 0 2022-01-23 19:36:52 max_clients = 1024 2022-01-23 19:36:52 max_routes_per_client = 256 2022-01-23 19:36:52 auth_user_pass_verify_script = '[UNDEF]' 2022-01-23 19:36:52 auth_user_pass_verify_script_via_file = DISABLED 2022-01-23 19:36:52 auth_token_generate = DISABLED 2022-01-23 19:36:52 auth_token_lifetime = 0 2022-01-23 19:36:52 auth_token_secret_file = '[UNDEF]' 2022-01-23 19:36:52 port_share_host = '[UNDEF]' 2022-01-23 19:36:52 port_share_port = '[UNDEF]' 2022-01-23 19:36:52 vlan_tagging = DISABLED 2022-01-23 19:36:52 vlan_accept = all 2022-01-23 19:36:52 vlan_pvid = 1 2022-01-23 19:36:52 client = ENABLED 2022-01-23 19:36:52 pull = ENABLED 2022-01-23 19:36:52 auth_user_pass_file = 'stdin' 2022-01-23 19:36:52 OpenVPN 2.6-icsopenvpn [git:icsopenvpn/v0.7.33-0-g8bc2287a] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 13 2022 2022-01-23 19:36:52 library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10 2022-01-23 19:36:52 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket 2022-01-23 19:36:52 MANAGEMENT: CMD 'version 3' 2022-01-23 19:36:52 MANAGEMENT: CMD 'hold release' 2022-01-23 19:36:52 MANAGEMENT: CMD 'username 'Auth' XXXXX' 2022-01-23 19:36:52 MANAGEMENT: CMD 'password [...]' 2022-01-23 19:36:52 MANAGEMENT: CMD 'bytecount 2' 2022-01-23 19:36:52 MANAGEMENT: CMD 'proxy NONE' 2022-01-23 19:36:52 MANAGEMENT: CMD 'state on' 2022-01-23 19:36:53 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file 2022-01-23 19:36:53 OpenSSL: error:0A00018E:SSL routines::ca md too weak 2022-01-23 19:36:53 OpenSSL reported a certificate with a weak hash, please see the in app FAQ about weak hashes. 2022-01-23 19:36:53 MANAGEMENT: Client disconnected 2022-01-23 19:36:53 Cannot load inline certificate file 2022-01-23 19:36:53 Exiting due to fatal error 2022-01-23 19:36:53 Process exited with exit value 1
Configuration file
Config for OpenVPN 2.x
Enables connection to GUI
management /data/user/0/de.blinkt.openvpn/cache/mgmtsocket unix management-client management-query-passwords management-hold
setenv IV_GUI_VER "de.blinkt.openvpn 0.7.16" setenv IV_SSO openurl,crtext setenv IV_PLAT_VER "24 7.0 arm64-v8a samsung MSM8976 SM-T813" machine-readable-output allow-recursive-routing ifconfig-nowarn client verb 4 connect-retry 2 300 resolv-retry 60 dev tun remote X.Y.Z.W 1194 tcp-client auth-user-pass
comp-lzo nobind remote-cert-tls server cipher AES-128-CBC auth SHA1 float
Use system proxy setting
management-query-proxy
Custom configuration options
You are on your on own here :)
These options found in the config file do not map to config settings:
sndbuf 0 rcvbuf 0 keepalive 10 30