Orbi WiFi 7 RBE973
Reply

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

ncazer
Tutor

R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

I am unable to connect to my Netgear R6700v2 VPN using my android device becasue the certificate my router generates is still using MD5 when services started requiring SHA256. MD5 has been known to be weak since 2008 and it's taken awhile, but now it's not allowing me top use my VPN.

 

I discovered this when atempting to set up my VPN on my android device using the App "OpenVPN for Android." I don't know enough about VPN's to generate my own certificiates and make my own config files,m I rely on what Netgear pushes out through the router menu. Within the app, I tried adding a custom line to the config file: tls-cipher DEFAULT:@SECLELVEL=0 but then it wouldn't read the config file properly. 

 

This would all be fixed if Netgear would update the router's firmware to issue new certificates that use SHA256, which it sounds like thery should be doing anyways for security. This is essentail to providing good VPN service, if they want to advertise this feature in thier routers. 

 

Any thoughts, suggestions, and help?!

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 1 of 17

Accepted Solutions
Blanca_O
NETGEAR Moderator

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Hi All, 

 

A firmware is released for R6700v2 that will support the new OpenVPN certificate.

 

https://kb.netgear.com/000059475/R6700v2-Firmware-Version-1-2-0-24

 

Regards, 
Blanca 
Community Team
 

View solution in original post

Message 14 of 17

All Replies
KBeck123
Tutor

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Also have an R6700v2, gotten on the cheaps from Amazon. And it's pretty obvious why it's on the cheaps: It's a cost-reduced version of the R6700. Further, it appears that Netgear has been making it, well, difficult for the open-source community to come up with a DD-WRT or similar firmware load.

So, I am using the VPN service, following the instructions in the router, for my smart phone. And, when going on travel, given the insecure environments found in airports and the like, VPN is where I want to be. Especially on my Android phone, not to mention my portable computer. In fact, cost-reduced or not, one of the major reasons I bought this router is that it came with a VPN server built-in.

So, it's not a happy place that every time I fire up OpenVPN Connect (the suggested VPN client software for Android), I get a warning message:

"TLS: received certificate signed with MD5. Please inform your admin to upgrade to a stronger algorithm. Support for MD5 will be dropped at the end of Apr 2018."

It's now late January. I was hoping that the latest security release for the R6700v2 would fix this: No luck.

At the rate things are going for the purposes of VPN this router officially becomes a brick on 30 APR 2018. I understand planned obsolesence, but this is rediculous: I will have had the router for less five months when it bricks for VPN purposes.

Hey, Negear! Update your VPN server firmware! It is not rocket science!

KBeck

Message 2 of 17
JamesGL
Master

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Hi All,

 

NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline.

Message 3 of 17
schumaku
Guru

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256


wrote:

 

NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline.


Does this include a per-router locally generated private key, and locally signed ca.crt and client.crt ... or does Netgear intend to continue operating millions of routers sharing the very same private key ... making the encrpytion, hmmmmmm .... useless?

Message 4 of 17
ncazer
Tutor

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

I upgraded the firmwar but there still seems to be MD5 instead of the new standard... WHAT GIVES NETGEAR?

Model: R6700v2|Nighthawk AC1750 Smart WiFi Router
Message 5 of 17
pthorvald
Guide

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

 

Hello JamesGL

Back on February 5th you wrote:

    "NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline."

 

The deadline is now 2 days away.....   What should we expect?    Is there going to be an update or not?     If not, I am going to be very disapointed.    I purchased this router explicitly for the VPN function.

 

Hardware Version R7000
Firmware Version V1.0.9.26_10.2.31

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 6 of 17
KBeck123
Tutor

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Ahem. Yeah, I'm sitting here, too, watching the clock tick away. A few things:

1. The software I'm using an Android to connect with the R6700v2 is, from the suggestions in the Netgear help files, is OpenVPN Connect. I should not that for all the "Open" words in there this is a commercial company that is attempting to monetize what appears to be an open source package.

2. It was this package that initially was complaining that Netgear's use of MD5 was a Bad Idea and that in a short time the OpenVPN Connect software would cease to support Netgear's use of that function. I should note that before using OpenVPN Connect I tried a couple of other OpenVPN clones.. to no avail. Maybe I'm just stupid, or there's something in particular about OpenVPN Connect and Netgear's implementation that made the two connect. As in, they have a contract. That's a suspicion, not straight knowledge.

3. About a month after this thread was created there was an update to OpenVPN Connect. Besides a switched-around UI, the main "feature" is that the updated OpenVPN Connect no longer complains about the use of MD5 on every start. However, the help link puts one on an OpenVPN site that still says that MD5 will be depreciated as of May 2018, giving "older equipment" a chance to get changed over to something more secure. However, I have to wonder: Was the suppression of the MD5 warning message due to somebody at Netgear giving OpenVPN a call?

4. I joke about it, but I definitely wear a tin-foil hat. Because sometimes the bad people really are out to get you. In particular, both the FBI and NSA have stated multiple times that they fear the world "going dark"; that is, more difficult for them to capture data. In particular, the NSA has been capturing all the data, all the time, on all the trunks going through AT&T and other major long-haul providers, and, in particular, capturing encrypted data. The claim is that this pretty-much-illegal act is OK so long as they only "select" data upon which they search, and those selectors are under the aegis of FISA court warrants. You know, the ones that come with gag orders, the court and its ruling being about 99 44/100ths pure secret.

It's no surprise that these people hate VPNs with a raw passion because, just like bad guys use telephone networks (which the three-letter agencies monitor and capture), they use encryption and VPN's, too. So, this slow-move from Netgear.. Is this because some gag-ordered warrant demands that they backdoor consumer VPNs with obsolete, easily breakable VPN software? With the same key used across multiple routers?

If so, that's not good. And it's worse, really: Crooks like money. They like lots of money even more than that. And they have a slightly modified desire than the three-letter agencies: They don't want to capture it all; they want to capture the financial details so they can rob people, prefereably on masse. And if VPNs with Netgear are easily broken by the NSA, they can certainly be broken by crackers with $$$ in their eyes. All you need is somebody who happens to use the same password, in the clear, for their bank accounts somewhere, too. And if you don't think crackers have access to major network routers and pass points, then you haven't been paying attention.

5. Of course, all this aluminum foil hat stuff may be complete BS. It may be very much simpler: Netgear is playing IoT (Internet of Things) follies. This argument goes along the line of Netgear making its money by selling hardware; the software is there to make sure the hardware is sold. Once the hardware is out the door, any desire for updated software is muted by the desire to Not Spend Money Doing That. Unless one is still selling that hardware, in which case a competitive disadvantage may be occur, thus causing a little more development bucks being spent.

This is the reason that things like commercial grade routers with no effective software support are lumped with IoS (Internet of S**t) objects, like refrigerators and the like. The lack of an update may simply be that Netgear has unofficially abandonded the v2 version of the R6700, with the famous, "Screw You!" that businesses like to do. They got your money, what are you going to do?

With many commercial routers that use Open Source software, like the R6700v2, a user community effort helps with that: DD-WRT, Tomato, and others are out there, get regular updates, and support VPNs. But from what I hear no effective support has appeared for the R6700v2, which makes Netgear's apparent approach much, much worse for all the punters left holding the bag with their IoS hardware.

 

Netgear: Please respond and give some indication that you're working to fix this router's VPN server software. Really, the UI and all that is superior, and it works. If no indication is coming.. You may find yourself on the pages of Arstechnica sooner than later.

KBeck

Model: R6700v2|Nighthawk AC1750 Smart WiFi Router
Message 7 of 17
pthorvald
Guide

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

NG folks have been on these threads, it is clear someone in NG knows about the problem.     However, for whatever reason they have not been able to put enough resources on the problem to get a fix out.      The simplist explination is probably the correct one:    It is a low priority for them.  😞    I seriously doubt it is any sinister conspiracy with the goverment.   

 

I spent many years in a large consumer electronics company and I am confident it is going something like this:

  1.  The support folks are all asking the Dev folks to build a fix.    
  2.  The dev folks have this task on a long list of things that they have to prioritize.    Consequently they have either not finished a fix or not gotten to it.    (Lets face it,  the % of their customers for this product that use VPN is really low)

It is very likely that no one in NG has explicitly said "we won't fix it", but it is also likely that the priority  is low enough that it will not get fixed anytime soon (if ever).    As others have pointed out, they already have our money.    The only cost to NG of not fixing it is 1) Support calls and 2) the potential lost sales due to a bad reputation.  Consequently, when the dev team has to decide between working on the new product or fixing the old product.... the existing customer needs can easilly get left out.

 

As long as they are still selling the product,  there is a reasonable likelyhood they will eventually address this issue and make the 'fix' available to the current users.    Unfortunatly, one way they could decide to fix the issue is to quit saying they support VPN.    If they do that, it *is* an explicit decision to not to provide a patch. (The good news is that 1) marketing people always *hate* to give up a feature and 2) it might be easier for them to put out a fix than it is to change all of their documentation, and packaging)

 

The only place we (the consumers) have any real power is our ability to impact their reputation.    With the modern internet, we have the ability to educate others about the lack of support (How costly to NG is a bad review of a NG product on Amazon?)......and that has the possibility of getting their attention due to the fear of loosing sales.

 

I really hope that NG comes through and we don't have a need to exercise that power.    

 

 

 

 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 8 of 17
ncazer
Tutor

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

So did I.


@pthorvald wrote:

 

Hello JamesGL

@back on February 5th you wrote:

    "NETGEAR is already aware of MD5 certificate which will no longer work by April. NETGEAR will release a new certificate before the deadline."

 

The deadline is now 2 days away.....   What should we expect?    Is there going to be an update or not?     If not, I am going to be very disapointed.    I purchased this router explicitly for the VPN function.

 

Hardware Version R7000
Firmware Version V1.0.9.26_10.2.31


 

Message 9 of 17
ncazer
Tutor

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

You're probably right. In anycase, Netgear is loosing me as a customer. They should consider what amount of lifetime value thier customers have...

 


@pthorvald wrote:

NG folks have been on these threads, it is clear someone in NG knows about the problem.     However, for whatever reason they have not been able to put enough resources on the problem to get a fix out.      The simplist explination is probably the correct one:    It is a low priority for them.  😞    I seriously doubt it is any sinister conspiracy with the goverment.   

 

I spent many years in a large consumer electronics company and I am confident it is going something like this:

  1.  The support folks are all asking the Dev folks to build a fix.    
  2.  The dev folks have this task on a long list of things that they have to prioritize.    Consequently they have either not finished a fix or not gotten to it.    (Lets face it,  the % of their customers for this product that use VPN is really low)

It is very likely that no one in NG has explicitly said "we won't fix it", but it is also likely that the priority  is low enough that it will not get fixed anytime soon (if ever).    As others have pointed out, they already have our money.    The only cost to NG of not fixing it is 1) Support calls and 2) the potential lost sales due to a bad reputation.  Consequently, when the dev team has to decide between working on the new product or fixing the old product.... the existing customer needs can easilly get left out.

 

As long as they are still selling the product,  there is a reasonable likelyhood they will eventually address this issue and make the 'fix' available to the current users.    Unfortunatly, one way they could decide to fix the issue is to quit saying they support VPN.    If they do that, it *is* an explicit decision to not to provide a patch. (The good news is that 1) marketing people always *hate* to give up a feature and 2) it might be easier for them to put out a fix than it is to change all of their documentation, and packaging)

 

The only place we (the consumers) have any real power is our ability to impact their reputation.    With the modern internet, we have the ability to educate others about the lack of support (How costly to NG is a bad review of a NG product on Amazon?)......and that has the possibility of getting their attention due to the fear of loosing sales.

 

I really hope that NG comes through and we don't have a need to exercise that power.    

 

 

 

 


 

Message 10 of 17
KBeck123
Tutor

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

I dunno. The UI on this router's fine; built-in instructions on how to get the whole VPN business set up and running were pretty clear.There's weirdnesses involved with the DNS-to-IP stuff, but it still appears to be a freebie, not bad.

My personal opinion is that over time, more and more people are going to use these VPN services because, well, the world is becoming a hairier place.

Maybe there's another solution for Netgear on this router. Or maybe most of their consumer grade routers: Publish enough of the code so that the mavens over a DD-WRT can take a stab at it; or even assign somebody full-time, so they can make 0.9 revs of DD-WRT available for the download, rather than the Netgear-specific load. A double win: They don't have to support the old software any more and their gear ceases to be an issue with random security updates on Linux-based routers. The only downsides I can see would be two-fold: 1) The DD-WRT stuff would compete with new routers (i.e., people wouldn't ditch the old stuff due to insecure/buggy software like they do now); and 2) they'd have to hire or repurpose somebody to be the DD-WRT maven. But it might actually end up as a staff reduction; they wouldn't have to scurry quite as much chasing major security bugs.

One of the reasons I ditched the Netgear WNDR-3700v2 I used to have was that it didn't have the horsepower/thruput to do streaming and it didn't have the stability to do VPN in the first place. And, yeah, it died of old age. People will still buy Netgear - if they can keep the support going. And maybe putting the support on DD-WRT and the like would be the leg up they need to expand.

Model: R6700v2|Nighthawk AC1750 Smart WiFi Router
Message 11 of 17
KBeck1234
Initiate

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Well, here we are: May 6th and no update. OpenVPN still connects - but, in the logs, there's this statement:

17:37:37.370 - EVENT: WARN info='TLS: received certificate signed with MD5. Please inform your admin to upgrade to a stronger altorithm. Support for MD5 will be dropped at the end of Apr 2018'

Looks like imminent bricking of the 6700v2's VPN capability.

Look: Does somebody at Negear have a list of commands to run to build self-generated, self-signed certs, and how to install those onto the box?

Or at least say if you guys have the change to some other cert signing method in the works. I'm an engineer; I know that schedules get beat up sometimes. But at least knowing if it's in the Plan somewhere would be a help at this stage. And, if it's not.. Well, say so.

Model: R6700v2|Nighthawk AC1750 Smart WiFi Router
Message 12 of 17
tauceti
Aspirant

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

I am interested in this too. Looks like many of the Broadcom based routers have been updated already, but this one is Mediatec and it has not.

 

This sucks. VPN is advertised but it does not work.

 

I would have purchased a higher model if I had known.

Message 13 of 17
Blanca_O
NETGEAR Moderator

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Hi All, 

 

A firmware is released for R6700v2 that will support the new OpenVPN certificate.

 

https://kb.netgear.com/000059475/R6700v2-Firmware-Version-1-2-0-24

 

Regards, 
Blanca 
Community Team
 

Message 14 of 17
KBeck1234
Initiate

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Blanca_O & Co.:

Thank you! Have successfully downloaded the new firmware, updated the VPN software, got the new client, and it works. The Open VPN logs on my cell show no trace, as far as I can tell, of the MD5 problem. Given the length of time it's taken, I was half-convinced I was going to ditch this router and go to a competitor: Kudos for taking the time out to get this thing fixed.

A couple of comments from the upgrade attempt, for possible changes to your FAQ on the subject and a Warning To Others :).

  1. Got onto the router home page and it immediately notified that there was an update. Two different spots on the router page lit up with an invitation to "get the update". Clicking on either leads to a progress bar indicating a download.. But this eventually clears with a message of, "No update available", indicating, shall we say, a bug we drive a truck through in the built-in update method Smiley Happy. This was fixed by actually reading the FAQ (horrors) where it says to download the file onto one's PC from netgear, unzipping said file, then updating by hitting the "browse" button on the router web page, locating the unzipped .img file, and selecting that. It ran.
  2.  Next: Up popped this nifty message stating "<<Attention>> A new OpenVPN configuration package for your router is available that enhances your router’s security. You must update the OpenVPN configuration package for your router. Once the OpenVPN configuration package is updated, you must update the OpenVPN configuration package on all your clients; otherwise, your clients won’t be able to access your router using the VPN feature.". Cool, that's what we want, un updated OpenVPN configuration package. Hit the button on this one.. and waited... and waited... and waited... and waited. Fifteen minutes later, figured, "This ain't gonna work", went to the router ip address and logged on again. Went to the VPN service page and downloaded the new package for a Smart Phone, put it on the Smart Phone, and then discovered that the Android OpenVPN client doesn't make it highly obvious how to delete an old profile. After stooging around a bit and deleting the original OpenVPN configuration files and such, managed to delete the old profile, load the new one, and, ta-da, it worked. Also: If one hasn't refreshed the Dynamic DNS, one should do so. Conclusion: There's a bug in the VPN package update that doesn't actually do a progress bar successfully, leaving users in the lurch. Fix it, please?

In any case, Thank You Gentlepeople Very Much for updating this router.

 

Model: R6700v2|Nighthawk AC1750 Smart WiFi Router
Message 15 of 17
Blanca_O
NETGEAR Moderator

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Hi KBeck1234, 

 

Thank you for sharing the result. I am very pleased of the update. 

 

Regards, 
Blanca 
Community Team

Message 16 of 17
arvelconnor90
Aspirant

Re: R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Thanks for this information. can you tell me the impact of this firmware on VPN and how can I check this on my FastestVPN.

Message 17 of 17
Top Contributors
Discussion stats
  • 16 replies
  • 8490 views
  • 6 kudos
  • 9 in conversation
Announcements

Orbi WiFi 7