NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
MD5-Signed Certificate Warning with OpenVPN on iOS
As of version 1.2.8 of the OpenVPN app on iOS, OpenVPN issues the following warning:
> WARN TLS: received certificate signed with MD5.
> Please inform your admin to upgrade to a
> stronger algorithm. Support for MD5 will be
> dropped at end of Apr 2018
The warning appears as a modal dialog that interrupts use of the device. If the device is unlocked after a short period of time with the VPN connected, there will typically be multiple modal dialogs. This is an extremely frustrating experience.
There appears to be no way to disable this warning and nothing router owners can do. A similar issue arose earlier for Android users (https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Netgear-R7000-and-OpenVPN-for-Android-App/m-p/1310857). It is still unresolved at the time of writing.
Netgear needs to issue a firmware update that changes the certificate used for OpenVPN.
> WARN TLS: received certificate signed with MD5.
> Please inform your admin to upgrade to a
> stronger algorithm. Support for MD5 will be
> dropped at end of Apr 2018
The warning appears as a modal dialog that interrupts use of the device. If the device is unlocked after a short period of time with the VPN connected, there will typically be multiple modal dialogs. This is an extremely frustrating experience.
There appears to be no way to disable this warning and nothing router owners can do. A similar issue arose earlier for Android users (https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Netgear-R7000-and-OpenVPN-for-Android-App/m-p/1310857). It is still unresolved at the time of writing.
Netgear needs to issue a firmware update that changes the certificate used for OpenVPN.
FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.
Just posting this so you have at least one go-forward path.
108 Replies
How about the R7500v2? It's a nighthawk but no one seems to have mentioned it. It also supports OpenVPN server and is lacking the new certificate.
If I install the new firmware to address the MD5 issue, will I lose all of the saved DHCP reservations on my network and have to re-do all of those, or do they survive the upgrade process? How about the MAC address level content filtering settings?
Also, does the new firmware install erase and (avoid re-infection) of the stage 1 (the part that survives reboots) of the VPNFilter malware?
No, all you settings will be saved. It just an update.
Hi!
Please also update firmware for R6700v2
Thanks!
Looks like Netgear released a firmware fix for the R6700v1. Here is the link for anyone needing it.
https://kb.netgear.com/000059128/R6700-Firmware-Version-1-0-1-48
Please release one for the R6700v2 next...
Hi jg121234 -
Yes, thanks for the post. I believe I saw the update available for R6700 over the past weekend when I was checking for updates in the Setup | Advanced. Will be updating soon and will post how it works.
Thanks!
It looks like R6700v3 firmware fixing this issue was released on 6/1/18.
- Added support for SHA256 certificates in lieu of MD5 for OpenVPN
https://kb.netgear.com/000058850/R6700v3-Firmware-Version-1-0-2-56
Hopefully Netgear can release R6700v2 now that they already released v1 and v3...
So the R7000P had a hot fix beta firmware available 1.3.2.34, but it has been pulled when they updated the firmware to 1.3.1.44 and the 1.3.1.44 does not support SHA256, what up with that?
993TT wrote:
So the R7000P had a hot fix beta firmware available 1.3.2.34, but it has been pulled when they updated the firmware to 1.3.1.44 and the 1.3.1.44 does not support SHA256, what up with that?JamesGL wrote:
Resolution will be released prior to the deadline.
So dear JamesGL, whats the deal here? Deadline passed months ago.
Hah! Turns out the new R7000P firmware does have the SHA256 support. The release notes just don't mention it.
