Re: MD5-Signed Certificate Warning with OpenVPN on iOS

pyrmont · ‎2018-02-21

As of version 1.2.8 of the OpenVPN app on iOS, OpenVPN issues the following warning:

> WARN TLS: received certificate signed with MD5.
> Please inform your admin to upgrade to a
> stronger algorithm. Support for MD5 will be
> dropped at end of Apr 2018

The warning appears as a modal dialog that interrupts use of the device. If the device is unlocked after a short period of time with the VPN connected, there will typically be multiple modal dialogs. This is an extremely frustrating experience.

There appears to be no way to disable this warning and nothing router owners can do. A similar issue arose earlier for Android users (https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Netgear-R7000-and-OpenVPN-for-Android-App/m-...). It is still unresolved at the time of writing.

Netgear needs to issue a firmware update that changes the certificate used for OpenVPN.

Diggie3 · ‎2018-03-01

FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.

Just posting this so you have at least one go-forward path.

View solution in original post

bteeuwen · ‎2018-02-22

+100

This is extremely annoying when using the netgear vpn service.

I read "As soon as we have it working before 31 april 2018, it is ok. So that OpenVPN is not broken" at https://community.netgear.com/t5/Nighthawk-WiFi-Routers/OpenVPN-update-breaks-R7000-and-probably-oth.... With the openvpn update I'd say from a user experience it is severly broken from 21st of february.

Please provide a solution as soon as possible.

pyrmont · ‎2018-02-25

OpenVPN 1.2.9 has changed the message to only appear once per session which makes this slightly less frustrating.

Nevertheless, it continues to defy explanation why Netgear is taking so long to fix this.

golf06222 · ‎2018-02-26

This update resolved my issues with mulitple prompts per session.

I'm not extremly savy on certificates so was hoping someone could help. Is there another option other than MD5 certificate that Netgear offers or are we all waiting for Netgear to come up with something before the end of April?

Thanks!

-Cameron

pyrmont · ‎2018-02-26

No, there's nothing users can do to change the system's certificate. You can install an alternative firmware but that comes with its own negatives.

This honestly doesn't seem like a particularly difficult change. Netgear needs to change the settings in the OpenVPN files they generate and seed a new certificate to devices.

They say to never attribute to malice what can be explained by incompetence but either way, it's an experience which has me questioning whether I'd buy a Netgear product again.

JamesGL · ‎2018-02-28

Hi pyrmont,

NETGEAR is aware of this certificate warning. We will provide update once new information will be available.

pyrmont · ‎2018-02-28

I'd hope Netgear is aware of this issue given it was initially reported on this forum back in June of last year. But more to the point, your users don't care whether you're 'aware' of it. What we care about is when you are going to 'fix' it.

Diggie3 · ‎2018-03-01

FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.

Just posting this so you have at least one go-forward path.

pyrmont · ‎2018-03-02

Your guide worked! Thank you!

I did it on Linux and so had to do things a little differently but, as you suggested, the steps were generally the same. Thank you for taking the time to put that all together.

In case it helps others, I wrote up some instructions for Linux users on my blog.

Diggie3 · ‎2018-03-02

@pyrmont That's awesome. Thanks for putting in the time to share your own knowledge and help others also! Thanks for the mention and cross reference too 🙂

whataboutbob · ‎2018-03-06

Does anyone know if Netgear is issuing a fix for this before April 2018 EOL deadline or do I need to manually upgrade my certificate?

Diggie3 · ‎2018-03-06

They have claimed that they will elsewhere in the forums. Based on their ability to deliver fixes for other critical product issues, I would be skeptical.

whataboutbob · ‎2018-03-06

Fingers crossed but if they don't deliver close to the deadline, I'll install the certificate. Hopefully it doesn't get to that. Thanks for your writeup, I might have to go your route with some slight tweaks for Mac but it should be siimilar.

pyrmont · ‎2018-03-06

For macOS, (1) the installation of OpenVPN, Easy-RSA and telnet will be different and (2) the Easy-RSA template files will live somewhere else, but otherwise everything else should be the same.

axelsegers · ‎2018-03-19

I have the same isssue. MD5 warning when connecting to the VPN on an iOS device.

Netgear are you looking at this issue? It won't work anymore from 30th of april 2018.

schumaku · ‎2018-03-19

@axelsegerswrote:
I have the same isssue. MD5 warning when connecting to the VPN on an iOS device.

Current firmware version on your R8900 / Nighthawk X10?

@axelsegers wrote:
Netgear are you looking at this issue? It won't work anymore from 30th of april 2018.

A Netgear moderator has already answered a few replies before -> JamesGL in port #6.

martijn76 · ‎2018-03-20

Hasn't this been solved by the latest 1.0.2.46 firmware? Haven't installed it yet, but the changelog does say:

New Features and Enhancements:
Supports the VPN client feature.

And this would suggest a fix in the VPN department. Don't want to install unless this is the case though, all is running well at the moment (at least until end of April haha).

pyrmont · ‎2018-03-20

I'm not sure what this is referring to but as far as I can tell, it's only in the firmware for the R7800. The latest firmware for the R7000 at the time of writing is 1.0.9.26 and it doesn't contain this fix at all.

martijn76 · ‎2018-03-20

Ah well, I'll flash the dang thing tonight then, and see if it'll get rid of the MD5 warning issued by OpenVPN.

whataboutbob · ‎2018-03-20

I just installed V1.0.1.44_10.0.28 for my R6900, not sure if it fixes the VPN issue, release notes said it fixes security issues, whatever that means. I'll test it later.

https://kb.netgear.com/000055156/R6900-Firmware-Version-1-0-1-44

Tyree42 · ‎2018-03-26

@JamesGL -- any update from NetGear on this? I'm about to start extensive business travel and would like an official solution, please.

JamesGL · ‎2018-03-29

Hi All,

Resolution will be released prior to the deadline.

Repiuk · ‎2018-04-01

Any news on this update? It's April 1st and I need VPN up and running

schumaku · ‎2018-04-01

End of April 2018 is the do-not-exceed date.

axelsegers · ‎2018-04-01

End of april is the due date and still no solution from Netgear ;-(