Reply

MD5-Signed Certificate Warning with OpenVPN on iOS

Repiuk
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I need to have a solution up and running for the next month(s). My backup plan was the VPN service in Apple's Server.app. Apple killed VPN services last week in the update of server.app.

What are the options? OpenVPN as a server exists on MacOS? OpenVPN on a raspberry PI?

Or another router? Which routers run OpenVPN?

Message 26 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

The accepted solution for this thread links a doc you can follow on Windows to put working certificates on your router. Pyromont also wrote up some steps for Linux systems. Otherwise, yes, you would need to run an OpenVPN service yourself and open its port up on your router.
Message 27 of 109
Repiuk
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Aha overlooked that pdf file. I'll powerup my Windows notebook and give it a try. 

Message 28 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Fyi I'm updating the doc today because OpenVPN 2.4.5 has since been released. The short story is it should all be similar except you can skip the step to use stronger algorithms (SHA256) because in OpenVPN 2.4.5 that's the default now anyway.
Message 29 of 109
cryptokiddie
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

This is brutal that users have to telnet in to manually re issue and configure it. It's such a simple dev feature --- and netgear cant fix it? For a network connectivity provider you think they would take security more seriously and upgrade the crypto from an algorithm (MD5)  that was severly compromised over a half a decade ago.

 

What is taking so long?

Model: R8000|Nighthawk X6 AC3200 Smart WIFI Router
Message 30 of 109
pyrmont
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I'll be the first to criticise Netgear for how slowly they're moving but I think the difficulty, explained by Diggie3, is that the router has a very weak CPU and calculating the new cryptographic keys is computationally very difficult.

The solution we've described does the computational work on your PC which is what makes it feasible. Netgear could just send you pre-calculated keys but that'd be less secure since they'd have a copy of them and they could be intercepted in transit.
Message 31 of 109
cryptokiddie
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Fair enough, appreciate the work put into the guide

Message 32 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS


@pyrmontwrote:
I'll be the first to criticise Netgear for how slowly they're moving but I think the difficulty, explained by Diggie3, is that the router has a very weak CPU and calculating the new cryptographic keys is computationally very difficult.

Considering Netgear does maintain Netgear Genie software for Windows and macOS - integrating this process there would be a possible option. In either case, Netgear would do good migrating to EC (Elliptic Curve) for OpenVPN and https access - the CPU load would be lowered masively.

 

@pyrmont wrote:
The solution we've described does the computational work on your PC which is what makes it feasible. Netgear could just send you pre-calculated keys but that'd be less secure since they'd have a copy of them and they could be intercepted in transit.

I fear Netgear will "just" update some code and continue to integrate a certificate (with a shared private key - what a joke) signed by a trusted CA for the ubiquitous domains.

A feasible choice would be to migrate to support Let's Encrypt and it's automated RA processes.

 

Let's see what they will implement - the next weeks will tell. None of my related emails sent to Netgear key people was answered (except by the R9000/R8900 project engineer).

 

Message 33 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS


@martijn76wrote:

Hasn't this been solved by the latest 1.0.2.46 firmware? Haven't installed it yet, but the changelog does say: 

New Features and Enhancements:
Supports the VPN client feature.

And this would suggest a fix in the VPN department. 


This "VPN Client" is a new feature for your router model: It does allow to initialise a VPN connection from the router ie. to your office or to a hide-my-a** VPN server.

Message 34 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

It's probably best for end users if the generation is supported on the device directly, but could be accelerated by genie if it was available. It's the dh-param that is slow and in fact worst case they could keep the one the unit shipped with, even though it's too short IMO, and at least regenerate certificates that didn't have md5 digests. This would be a fairly fast operation.

However, if I was in the web interface and it said, "Are you sure you want to continue? Generating new certificates and parameters could take up to an hour and router performance may be slower during that time", I would be fine with it. Who wouldn't rather do that than pull out a laptop and do it all manually? Just run it before bed.
Message 35 of 109
spopiela
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

I'm not a VPN expert.  I've always updated software to makesure that I get the latest features and security protection in my software apps. OpenVPN software has been updated for both servers and clients since I installed it on the IOS and windows clients. I'm currently using at least a year old version of Openvpn client software on my IOS and Windows 10 devices through the R7000 Openvpn tunnel. I am also getting the MD5 certificate warning on my IOS devices. It would appear to me that an upgrade is needed to the VPN server software hosted by the R7000 and also updates to the apps running in the IOS devices. Am I correct? 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 36 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

The critical part is the MD5 signed certificate most Nighthawk router still have in place.
Message 37 of 109
spopiela
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

So there is no version compatibility issues between server and client OpenVPN software except for the unique issue that we have now? The IOS message also mentions “use of a stronger algorithm” ?
Message 38 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

The server is fine it just needs new certificates.
Message 39 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS


@Diggie3wrote:
The server is fine it just needs new certificates.

...when leaving alone the outdated OpenSSL used, the also outdated OpenVPN server, probably yes. And this might require change some OpenVPN config controls, too.

Message 40 of 109
Diggie3
Luminary

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Well, I can say I know of some very not good things in there, but to fix the connection issue, yes, just new certs.
Message 41 of 109
spopiela
Guide

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Yes. I just read about this issue (md5 signature algorithm support) in the help section of my iOS app . Anyone that hasn’t read that should do so because it describes the issue at length and very well. Thanks
Message 42 of 109
Repiuk
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Received an email from Netgear security: We've improved your security. Download the latest firmware to stay up-to-date. Use the Nighthawk App (formerly NETGEAR Up) to update your firmware.

 

No new firmware for the R7000. Fingers crossed.

 

To prepare for a VPN meltdown on may 1st, I installed PiVPN on an old Pi3. Peace of cake.

Message 43 of 109
whataboutbob
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

This was a joke right? Netgear sent me an email to say there is a new firmware when all it was is just to get me to install their stupid iOS Nighthawk app. There is no new firmware yet for R6900. 

Model: R6900|Nighthawk AC1900 Smart WiFi Router
Message 44 of 109
whataboutbob
Aspirant

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

This is a joke right? Netgear sent me an email to say there is a new firmware when all it was is just to get me to install their stupid iOS Nighthawk app. There is no new firmware yet for R6900. 

Model: R6900v2|Nighthawk AC1900 Smart WiFi Router
Message 45 of 109

Re: MD5-Signed Certificate Warning with OpenVPN on iOS


@Repiuk wrote:

I need to have a solution up and running for the next month(s). My backup plan was the VPN service in Apple's Server.app. Apple killed VPN services last week in the update of server.app.

What are the options? OpenVPN as a server exists on MacOS? OpenVPN on a raspberry PI?

Or another router? Which routers run OpenVPN?


Where did you see that Apple removed VPN services from the server app? I installed that update and definitely still have VPN services enabled and working. However, I did notice that a lot of the services are now hidden in the main app, but you can still access them by clicking on the "View" option in the menu bar.

Message 46 of 109
schumaku
Guru

Re: MD5-Signed Certificate Warning with OpenVPN on iOS


@Repiuk wrote:

I need to have a solution up and running for the next month(s). My backup plan was the VPN service in Apple's Server.app. Apple killed VPN services last week in the update of server.app.


Living in a totalitarian regime which forced Apple to remove it from the regional store? AFAIK this happened in China last summer already.

 

Netgear promised (at least) some signs of a coming-up solution, with the ability to get early access -> https://community.netgear.com/t5/Nighthawk-WiFi-Routers/R8000-VPN-and-dropping-of-MD5-signed-certifi...

 

 

 

 

Message 47 of 109
Repiuk
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS



Where did you see that Apple removed VPN services from the server app? I installed that update and definitely still have VPN services enabled and working. However, I did notice that a lot of the services are now hidden in the main app, but you can still access them by clicking on the "View" option in the menu bar.


Or another router? Which routers run OpenVPN?

I had VPN switched Off during the update and now it's hidden, I didn't check the View menu. I found it!

Message 48 of 109
relshout
Initiate

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Netgear, please hurry!

Don't push your users to modify their devices on the last day of the presence of MD5-support. You know for a long time that a solution must be given to your users! Why taking so long?

Most people who are abroad can't reach their router without a VPN.

Message 49 of 109
axelsegers
Tutor

Re: MD5-Signed Certificate Warning with OpenVPN on iOS

Unacceptable!

Message 50 of 109
Discussion stats
Announcements

Orbi WiFi 6E