NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

pyrmont's avatar
pyrmont
Guide
Feb 22, 2018
Solved

MD5-Signed Certificate Warning with OpenVPN on iOS

As of version 1.2.8 of the OpenVPN app on iOS, OpenVPN issues the following warning: > WARN TLS: received certificate signed with MD5. > Please inform your admin to upgrade to a > stronger algori...
Firmware
iOS
Not resolved
openvpn
Security
VPN
  • Diggie3's avatar
    Diggie3
    Mar 01, 2018

    FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.

     

    Just posting this so you have at least one go-forward path.

     

Repiuk's avatar
Repiuk
Tutor
Apr 01, 2018

Aha overlooked that pdf file. I'll powerup my Windows notebook and give it a try. 

Diggie3's avatar
Diggie3
Luminary
Apr 01, 2018
Fyi I'm updating the doc today because OpenVPN 2.4.5 has since been released. The short story is it should all be similar except you can skip the step to use stronger algorithms (SHA256) because in OpenVPN 2.4.5 that's the default now anyway.
  • cryptokiddie's avatar
    cryptokiddie
    Aspirant
    Apr 03, 2018

    This is brutal that users have to telnet in to manually re issue and configure it. It's such a simple dev feature --- and netgear cant fix it? For a network connectivity provider you think they would take security more seriously and upgrade the crypto from an algorithm (MD5)  that was severly compromised over a half a decade ago.

     

    What is taking so long?

  • pyrmont's avatar
    pyrmont
    Guide
    Apr 03, 2018
    I'll be the first to criticise Netgear for how slowly they're moving but I think the difficulty, explained by Diggie3, is that the router has a very weak CPU and calculating the new cryptographic keys is computationally very difficult.

    The solution we've described does the computational work on your PC which is what makes it feasible. Netgear could just send you pre-calculated keys but that'd be less secure since they'd have a copy of them and they could be intercepted in transit.
  • cryptokiddie's avatar
    cryptokiddie
    Aspirant
    Apr 03, 2018

    Fair enough, appreciate the work put into the guide

  • schumaku's avatar
    schumaku
    Guru - Experienced User
    Apr 03, 2018
    pyrmontwrote:
    I'll be the first to criticise Netgear for how slowly they're moving but I think the difficulty, explained by Diggie3, is that the router has a very weak CPU and calculating the new cryptographic keys is computationally very difficult.

    Considering Netgear does maintain Netgear Genie software for Windows and macOS - integrating this process there would be a possible option. In either case, Netgear would do good migrating to EC (Elliptic Curve) for OpenVPN and https access - the CPU load would be lowered masively.

     

    pyrmont wrote:
    The solution we've described does the computational work on your PC which is what makes it feasible. Netgear could just send you pre-calculated keys but that'd be less secure since they'd have a copy of them and they could be intercepted in transit.

    I fear Netgear will "just" update some code and continue to integrate a certificate (with a shared private key - what a joke) signed by a trusted CA for the ubiquitous domains.

    A feasible choice would be to migrate to support Let's Encrypt and it's automated RA processes.

     

    Let's see what they will implement - the next weeks will tell. None of my related emails sent to Netgear key people was answered (except by the R9000/R8900 project engineer).