NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

pyrmont's avatar
pyrmont
Guide
Feb 22, 2018
Solved

MD5-Signed Certificate Warning with OpenVPN on iOS

As of version 1.2.8 of the OpenVPN app on iOS, OpenVPN issues the following warning:

> WARN TLS: received certificate signed with MD5.
> Please inform your admin to upgrade to a
> stronger algorithm. Support for MD5 will be
> dropped at end of Apr 2018

The warning appears as a modal dialog that interrupts use of the device. If the device is unlocked after a short period of time with the VPN connected, there will typically be multiple modal dialogs. This is an extremely frustrating experience.

There appears to be no way to disable this warning and nothing router owners can do. A similar issue arose earlier for Android users (https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Netgear-R7000-and-OpenVPN-for-Android-App/m-p/1310857). It is still unresolved at the time of writing.

Netgear needs to issue a firmware update that changes the certificate used for OpenVPN.
Firmware
iOS
Not resolved
openvpn
Security
VPN
  • Diggie3's avatar
    Diggie3
    Mar 01, 2018

    FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.

     

    Just posting this so you have at least one go-forward path.

     

108 Replies

  • 993TT's avatar
    993TT
    Aspirant
    Jul 27, 2018
    So the R7000P had a hot fix beta firmware available 1.3.2.34, but it has been pulled when they updated the firmware to 1.3.1.44 and the 1.3.1.44 does not support SHA256,  what up with that?

     

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Jul 27, 2018
      993TT wrote:
      So the R7000P had a hot fix beta firmware available 1.3.2.34, but it has been pulled when they updated the firmware to 1.3.1.44 and the 1.3.1.44 does not support SHA256,  what up with that?
      JamesGL wrote:

      Resolution will be released prior to the deadline.

      So dear JamesGL, whats the deal here? Deadline passed months ago.

      • 993TT's avatar
        993TT
        Aspirant
        Jul 29, 2018

        Hah!  Turns out the new R7000P firmware does have the SHA256 support.  The release notes just don't mention it.

         

    • gramercyradio's avatar
      gramercyradio
      Tutor
      Jun 13, 2018

      Hi jg121234 -

       

         Yes, thanks for the post.  I believe I saw the update available for R6700 over the past weekend when I was checking for updates in the Setup | Advanced.  Will be updating soon and will post how it works.

       

      Thanks!

       

      • gramercyradio's avatar
        gramercyradio
        Tutor
        Jul 11, 2018

        Hi!

         

            I installed the latest firmware for R6700 v1, downloaded and installed the scripts and files for Windows PC.  Took awhile to search and understand an error:  "TAP-Windows adapter 'NETGEAR-VPN' not found".  The solution is to be sure to rename the Windows TAP adapter to "NETGEAR-VPN" inside Control Panel, otherwise the login will fail because OpenVPN cannot find the TAP adapter.  Works great so far, glad to have the added measure of security.  Will try to install the files for iOS next for iPhone X.

         

  • zhazell's avatar
    zhazell
    Initiate
    Jun 03, 2018

    How about the R7500v2? It's a nighthawk but no one seems to have mentioned it. It also supports OpenVPN server and is lacking the new certificate. 

    • jg121234's avatar
      jg121234
      Tutor
      Jun 07, 2018
      zhazell wrote:

      How about the R7500v2? It's a nighthawk but no one seems to have mentioned it. It also supports OpenVPN server and is lacking the new certificate. 

      R6700v2 is also missing the new firmware.  Please provide new firmware to support OpenVPN SHA256 certificates on R6700v2.

    • KHDHD's avatar
      KHDHD
      Aspirant
      Jun 06, 2018

      If I install the new firmware to address the MD5 issue, will I lose all of the saved DHCP reservations on my network and have to re-do all of those, or do they survive the upgrade process?  How about the MAC address level content filtering settings?

       

      Also, does the new firmware install erase and (avoid re-infection) of the stage 1 (the part that survives reboots) of the VPNFilter malware?

      • shamarin's avatar
        shamarin
        Virtuoso
        Jun 08, 2018

        No, all you settings will be saved. It just an update.

  • JZDallas's avatar
    JZDallas
    Aspirant
    May 15, 2018

    Wow, some people here are just whinning to much. Netgear support said that they are working on a fix. It is in Beta testing right now. I assume you would want a fix that is working and does not have bugs in it. Also, it was stated earlier that the date OpenVPN was saying is not a hard date. It was a soft date. You can still use the app and connect to your home router. As for the person that said he would be taking his back to Costo, and buying a Cisco one. I did a Cisco router, and the first chance it was hit with a surge, the router died. It was connected to a surge protector, and when I bought the Netgear and still was hit, the Netgear router still turned back on and is still kicking. 

    So I would say, that I have Netgear's back. If you don't like the product, just take it back and get your money or go somewhere else. Also, the person that said that only one router is updated with the fix and what about the little people with other routers, I have a Nighthawk R8500 and I don't have the fix yet. But I am not complaining......

    • jcw265's avatar
      jcw265
      Tutor
      May 15, 2018

      news flash: never post just to see your post on a forum. Your lack of information may confuse users that have true product issues. Here are some facts you may want to verify on your own since you are surely highly educated (not)

      1) The VPN issue was announced months in advance from OpenVPN.Most if not all Netgear routers using that solution are no longer providing VPN. This was a hard date and netgear knew about it.

      2) People are not whinning on this forum they are expressing a total lack of customer service to the end user from Netgear that states VPN services exist through OpenVPN

      3) There are business that no longer have the encryption layer they need for security promised from netgear

      4) Routers are used for more then gaming in your moms basement

      5) Before you attack a group of users get your facts straight.

    • tonyGaspro's avatar
      tonyGaspro
      Guide
      May 15, 2018

      Sounds like you just don't take security as seriously as others, which is fine. Some folks really won't lose anything in the event of a data breach, or don't really care. Sounds like that may be you.

       

      But when you buy a device for its security features, and the vendor refuses to implement a fix on time to responding to things such as expring security certificates it's a serious problem.

       

       

    • tonyGaspro's avatar
      tonyGaspro
      Guide
      May 04, 2018

      Anyone know if this hotfix works with the entire R7XXX series, or is this for a specific R7000 model router?

       

      Thanks

  • golf06222's avatar
    golf06222
    Aspirant
    Apr 30, 2018

    I will never again purchase a Netgear product... No word from Netgear for weeks leading up to today.

     

    I called their support line and this is the "first time of being made aware of the issue". She made it sound like the router is functioning as designed and it's an issue with my iphone. The only thing they will do is replace the router (you pay shipping) which we all know is not the issue.

     

    I'm extremely disappointed and I'm now in possession of a very expensive router that doesn't do what I purchased it to do.

    • shamarin's avatar
      shamarin
      Virtuoso
      Apr 30, 2018

      For R7000 beta firmware is available to public with RSA OpenVPN support. I've checked it, OpenVPN is working now.

      • brian163's avatar
        brian163
        Tutor
        May 02, 2018

        I successfully upgraded from 1.0.6.40_1.1.90 to hotfix 1.0.9.30_10.2.33.

         

        Upon reboot you will see the following message and it will then obtain an updated certificate:

         

         

        After this is completed you have to go to the VPN tab to download an updated configuration for your devices and install them.

  • abline's avatar
    abline
    Initiate
    Apr 27, 2018

    As a followup to my earlier post, interestly the manual I original saw when making my decision to buy had sections:
    ⦁ Specify VPN Service in the Modem Router
    ⦁ Install OpenVPN Software on a Windows Computer
    ⦁ Install OpenVPN Software on a Mac Computer
    ⦁ Install OpenVPN Software on an iOS Device
    ⦁ Install OpenVPN Software on an Android Device

     

    Now I see online it only has the following sections:
    ⦁ Specify VPN Service in the Modem Router
    ⦁ Install OpenVPN Software on a Windows Computer
    ⦁ Install OpenVPN Software on a Mac Computer

     

    ....with a box out in the "Set Up a VPN Service" section saying:
    "Note   The modem router does not support iOS or Android VPN client software."

     

    Doesn't look like they intend to do anything about it.  Even though the latest Firmware V1.0.1.34 Netgear Genie web setup page still has OpenVPN Client Setup instructions for Windows, MacOSX, iphone/iPad and Android, along with an OpenVPN configuration package download button "For Smart Phone". Who are they trying to kid?

     

    I'm returning mine to Amazon UK after only 3 days.  What a waste of time!  I'll buy from a manufacturer that actually cares about it's customer base next time.

     

    Even the Netgear Moderators can't be bothered to respond.  I can't be bothered with Netgear anymore!

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Apr 28, 2018
      abline wrote:

      As a followup to my earlier post, interestly the manual I original saw when making my decision to buy had sections:
      ⦁ Specify VPN Service in the Modem Router
      ⦁ Install OpenVPN Software on a Windows Computer
      ⦁ Install OpenVPN Software on a Mac Computer
      ⦁ Install OpenVPN Software on an iOS Device
      ⦁ Install OpenVPN Software on an Android Device

       

      Now I see online it only has the following sections:
      ⦁ Specify VPN Service in the Modem Router
      ⦁ Install OpenVPN Software on a Windows Computer
      ⦁ Install OpenVPN Software on a Mac Computer

       

      ....with a box out in the "Set Up a VPN Service" section saying:
      "Note   The modem router does not support iOS or Android VPN client software."

       

      Doesn't look like they intend to do anything about it.  Even though the latest Firmware V1.0.1.34 Netgear Genie web setup page still has OpenVPN Client Setup instructions for Windows, MacOSX, iphone/iPad and Android, along with an OpenVPN configuration package download button "For Smart Phone". Who are they trying to kid?

      Checking the Netgear Support / D7800 Docs as well as the Web Archive does show the very same D7800_UM_15Sep2015 as retrieved in November 2015 and July 2017:


      https://web.archive.org/web/20151106151755/http://www.downloads.netgear.com/files/GDC/D7800/D7800_UM_15Sep2015.pdf
      https://web.archive.org/web/20170709015341/http://www.downloads.netgear.com:80/files/GDC/D7800/D7800_UM_15Sep2015.pdf

      All versions have the same - what was at the time of this documentation creation (15 Sep 2015) correct..

       

      You must have seen ie. the R7800 User Manual. The Note is still correct, kind of: The iOS and Android VPN clients are supporting IPsec, L2TP, and PPTP only. 

      Still, this is not intended ot be an excuse for Netgear's silence on this subject.

  • AJ123's avatar
    AJ123
    Aspirant
    Apr 27, 2018

    For people reading this thread and infuriated that there is no response from Netgear, please file a complain with BBB (I just did) and highlight that fact that Netgear is involved in deceptive advertising because their product webpages still claim OpenVPN support even though that is ending on Apr-30-2018.

     

    cheers,

    AJ.

     

  • abline's avatar
    abline
    Initiate
    Apr 26, 2018

    I just purchased my D7800 from Amazon Prime UK yesterday and received it today (26th April).  Having purchased it for, amongst other things it's VPN Server capabilities, I was astounded to see the MD5 Support warning for OpenVPN when I set it up this evening (using OpenVPN Connect for my iPhone).  What are Netgear playing at?  They are completely hopeless and I see JamesGL the NETGEAR Moderator has gone very quiet this month - very ominous!

     

    Well, for me at least I can return it straight back to Amazon if the firmware to correct this is not delivered by the end of next Monday (30th April).  I'll then have to look for alternative modem/routers from another brand.  Shame, but it seems the Netgear software guys are hopeless at their job.

     

    If they don't fix it in the next 4 days across all their applicable routers and modem/routers I guess they will have to provide many "not fit for purpose" return refunds in the coming weeks, and also change all their online web advertising/marketing claims and packaging/boxing to remove their claim of OpenVPN Server capability.  I’m sure they would not want to be accused of false advertising!

    • spopiela's avatar
      spopiela
      Guide
      Apr 27, 2018

      What is going on? Please let me know if anything is going to get updated in the R7000 to resolve yhis issue. Time is running out!!!

      If Netgear can't comply, with some or all the routers, just say so. I need to move on!!!