NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ncazer's avatar
ncazer
Tutor
Jan 19, 2018
Solved

R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

I am unable to connect to my Netgear R6700v2 VPN using my android device becasue the certificate my router generates is still using MD5 when services started requiring SHA256. MD5 has been known to be weak since 2008 and it's taken awhile, but now it's not allowing me top use my VPN.

 

I discovered this when atempting to set up my VPN on my android device using the App "OpenVPN for Android." I don't know enough about VPN's to generate my own certificiates and make my own config files,m I rely on what Netgear pushes out through the router menu. Within the app, I tried adding a custom line to the config file: tls-cipher DEFAULT:@SECLELVEL=0 but then it wouldn't read the config file properly. 

 

This would all be fixed if Netgear would update the router's firmware to issue new certificates that use SHA256, which it sounds like thery should be doing anyways for security. This is essentail to providing good VPN service, if they want to advertise this feature in thier routers. 

 

Any thoughts, suggestions, and help?!

Firmware
vpn sha256 md5 firmware update

16 Replies

  • arvelconnor90's avatar
    arvelconnor90
    Aspirant
    Jul 16, 2018

    Thanks for this information. can you tell me the impact of this firmware on VPN and how can I check this on my FastestVPN.

  • tauceti's avatar
    tauceti
    Aspirant
    Jun 03, 2018

    I am interested in this too. Looks like many of the Broadcom based routers have been updated already, but this one is Mediatec and it has not.

     

    This sucks. VPN is advertised but it does not work.

     

    I would have purchased a higher model if I had known.

  • JamesGL's avatar
    JamesGL
    NETGEAR Employee Retired
    Feb 05, 2018

    Hi All,

     

    NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline.

    • pthorvald's avatar
      pthorvald
      Guide
      Apr 28, 2018

       

      Hello JamesGL

      Back on February 5th you wrote:

          "NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline."

       

      The deadline is now 2 days away.....   What should we expect?    Is there going to be an update or not?     If not, I am going to be very disapointed.    I purchased this router explicitly for the VPN function.

       

      Hardware Version R7000
      Firmware Version V1.0.9.26_10.2.31

      • ncazer's avatar
        ncazer
        Tutor
        Apr 30, 2018

        So did I.

        pthorvald wrote:

         

        Hello JamesGL

        back on February 5th you wrote:

            "NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline."

         

        The deadline is now 2 days away.....   What should we expect?    Is there going to be an update or not?     If not, I am going to be very disapointed.    I purchased this router explicitly for the VPN function.

         

        Hardware Version R7000
        Firmware Version V1.0.9.26_10.2.31

         

    • ncazer's avatar
      ncazer
      Tutor
      Apr 28, 2018

      I upgraded the firmwar but there still seems to be MD5 instead of the new standard... WHAT GIVES NETGEAR?

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Feb 06, 2018
      wrote:

       

      NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline.

      Does this include a per-router locally generated private key, and locally signed ca.crt and client.crt ... or does Netgear intend to continue operating millions of routers sharing the very same private key ... making the encrpytion, hmmmmmm .... useless?

  • KBeck123's avatar
    KBeck123
    Tutor
    Jan 20, 2018

    Also have an R6700v2, gotten on the cheaps from Amazon. And it's pretty obvious why it's on the cheaps: It's a cost-reduced version of the R6700. Further, it appears that Netgear has been making it, well, difficult for the open-source community to come up with a DD-WRT or similar firmware load.

    So, I am using the VPN service, following the instructions in the router, for my smart phone. And, when going on travel, given the insecure environments found in airports and the like, VPN is where I want to be. Especially on my Android phone, not to mention my portable computer. In fact, cost-reduced or not, one of the major reasons I bought this router is that it came with a VPN server built-in.

    So, it's not a happy place that every time I fire up OpenVPN Connect (the suggested VPN client software for Android), I get a warning message:

    "TLS: received certificate signed with MD5. Please inform your admin to upgrade to a stronger algorithm. Support for MD5 will be dropped at the end of Apr 2018."

    It's now late January. I was hoping that the latest security release for the R6700v2 would fix this: No luck.

    At the rate things are going for the purposes of VPN this router officially becomes a brick on 30 APR 2018. I understand planned obsolesence, but this is rediculous: I will have had the router for less five months when it bricks for VPN purposes.

    Hey, Negear! Update your VPN server firmware! It is not rocket science!

    KBeck