Reply

MD5-Signed Certificate Warning with OpenVPN on iOS

pyrmont
Guide

MD5-Signed Certificate Warning with OpenVPN on iOS

As of version 1.2.8 of the OpenVPN app on iOS, OpenVPN issues the following warning:

> WARN TLS: received certificate signed with MD5.
> Please inform your admin to upgrade to a
> stronger algorithm. Support for MD5 will be
> dropped at end of Apr 2018

The warning appears as a modal dialog that interrupts use of the device. If the device is unlocked after a short period of time with the VPN connected, there will typically be multiple modal dialogs. This is an extremely frustrating experience.

There appears to be no way to disable this warning and nothing router owners can do. A similar issue arose earlier for Android users (https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Netgear-R7000-and-OpenVPN-for-Android-App/m-...). It is still unresolved at the time of writing.

Netgear needs to issue a firmware update that changes the certificate used for OpenVPN.
Model: R7000|AC1900 Smart WIFI Router
Message 1 of 109

Accepted Solutions
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.

 

Just posting this so you have at least one go-forward path.

 

View solution in original post

Message 8 of 109

All Replies
bteeuwen
Initiate

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

+100

 

This is extremely annoying when using the netgear vpn service.

I read "As soon as we have it working before 31 april 2018, it is ok. So that OpenVPN is not broken" at https://community.netgear.com/t5/Nighthawk-WiFi-Routers/OpenVPN-update-breaks-R7000-and-probably-oth.... With the openvpn update I'd say from a user experience it is severly broken from 21st of february.

 

Please provide a solution as soon as possible.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 2 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

OpenVPN 1.2.9 has changed the message to only appear once per session which makes this slightly less frustrating.

Nevertheless, it continues to defy explanation why Netgear is taking so long to fix this.
Message 3 of 109
golf06222
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

This update resolved my issues with mulitple prompts per session.

 

I'm not extremly savy on certificates so was hoping someone could help. Is there another option other than MD5 certificate that Netgear offers or are we all waiting for Netgear to come up with something before the end of April?

 

Thanks!

 

-Cameron

Message 4 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

No, there's nothing users can do to change the system's certificate. You can install an alternative firmware but that comes with its own negatives.

This honestly doesn't seem like a particularly difficult change. Netgear needs to change the settings in the OpenVPN files they generate and seed a new certificate to devices.

They say to never attribute to malice what can be explained by incompetence but either way, it's an experience which has me questioning whether I'd buy a Netgear product again.
Message 5 of 109
JamesGL
Master

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Hi pyrmont,

 

NETGEAR is aware of this certificate warning. We will provide update once new information will be available.

Message 6 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I'd hope Netgear is aware of this issue given it was initially reported on this forum back in June of last year. But more to the point, your users don't care whether you're 'aware' of it. What we care about is when you are going to 'fix' it.

Message 7 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

FYI, I documented the steps to required to replace the certificates here. Unfortunately it the steps are written for users of Windows, but it also uses mostly cross-platform OpenSource tools and explains what's going on so I think it should be pretty translatable if you don't have access to any Windows boxes.

 

Just posting this so you have at least one go-forward path.

 

Message 8 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Your guide worked! Thank you!

 

I did it on Linux and so had to do things a little differently but, as you suggested, the steps were generally the same. Thank you for taking the time to put that all together.

 

In case it helps others, I wrote up some instructions for Linux users on my blog.

Message 9 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

@pyrmont That's awesome. Thanks for putting in the time to share your own knowledge and help others also! Thanks for the mention and cross reference too 🙂
Message 10 of 109
whataboutbob
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Does anyone know if Netgear is issuing a fix for this before April 2018 EOL deadline or do I need to manually upgrade my certificate? 

Model: R6900|Nighthawk AC1900 Smart WiFi Router
Message 11 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

They have claimed that they will elsewhere in the forums. Based on their ability to deliver fixes for other critical product issues, I would be skeptical.
Message 12 of 109
whataboutbob
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Fingers crossed but if they don't deliver close to the deadline, I'll install the certificate. Hopefully it doesn't get to that. Thanks for your writeup, I might have to go your route with some slight tweaks for Mac but it should be siimilar.

Message 13 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

For macOS, (1) the installation of OpenVPN, Easy-RSA and telnet will be different and (2) the Easy-RSA template files will live somewhere else, but otherwise everything else should be the same.
Message 14 of 109
axelsegers
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I have the same isssue.  MD5 warning when connecting to the VPN on an iOS device.

 

Netgear are you looking at this issue?  It won't work anymore from 30th of april 2018.

 

 

Model: R8900|Nighthawk X10—AD7000 Smart WiFi Router
Message 15 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS


@axelsegerswrote:

I have the same isssue.  MD5 warning when connecting to the VPN on an iOS device.


Current firmware version on your R8900 / Nighthawk X10?

 

@axelsegers wrote:

Netgear are you looking at this issue?  It won't work anymore from 30th of april 2018. 

A Netgear moderator has already answered a few replies before -> JamesGL in port #6.

 

Message 16 of 109
martijn76
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Hasn't this been solved by the latest 1.0.2.46 firmware? Haven't installed it yet, but the changelog does say:

 

 

New Features and Enhancements:
Supports the VPN client feature.

And this would suggest a fix in the VPN department. Don't want to install unless this is the case though, all is running well at the moment (at least until end of April haha).

Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 17 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I'm not sure what this is referring to but as far as I can tell, it's only in the firmware for the R7800. The latest firmware for the R7000 at the time of writing is 1.0.9.26 and it doesn't contain this fix at all.
Message 18 of 109
martijn76
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Ah well, I'll flash the dang thing tonight then, and see if it'll get rid of the MD5 warning issued by OpenVPN.

Model: R7800|Nighthawk X4S AC2600 WiFi Router
Message 19 of 109
whataboutbob
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I just installed V1.0.1.44_10.0.28 for my R6900, not sure if it fixes the VPN issue, release notes said it fixes security issues, whatever that means. I'll test it later. 

https://kb.netgear.com/000055156/R6900-Firmware-Version-1-0-1-44

Model: R6900v2|Nighthawk AC1900 Smart WiFi Router
Message 20 of 109
Tyree42
Initiate

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

@JamesGL -- any update from NetGear on this? I'm about to start extensive business travel and would like an official solution, please.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 21 of 109
JamesGL
Master

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Hi All,

 

Resolution will be released prior to the deadline.

Message 22 of 109
Repiuk
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Any news on this update? It's April 1st and I need VPN up and running 

 

Message 23 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

End of April 2018 is the do-not-exceed date.
Message 24 of 109
axelsegers
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

End of april is the due date and still no solution from Netgear ;-(

Message 25 of 109
Top Contributors
Discussion stats
Announcements

Orbi WiFi 6E