Implement tls-cert-profile in profile and parser

8 files changed, 27 insertions, 5 deletions

diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt
index a4689802..1a1176bd 100644
--- a/main/src/main/cpp/CMakeLists.txt
+++ b/main/src/main/cpp/CMakeLists.txt
@@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
             -DNO_ROUTE_EXCLUDE_EMULATION
             -DOPENVPN_SHOW_SESSION_TOKEN
             -DOPENSSL_API_COMPAT=0x10200000L
-
+            -DOPENVPN_ALLOW_INSECURE_CERTPROFILE
             )
 else ()
     message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}")
diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn
-Subproject 6857da80d8ac395e457df4f8ea5d7d9260137a0
+Subproject 5800c9b4ee989e4b27428669af0a36353d37761
diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3
-Subproject dfa16e552e3dca8aa11766a5db0c097060c8a7d
+Subproject d5c5efaf01aaf5317de4900a78558ca53761bbf
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 84e7975d..fd30ea5a 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable {
 
             if (mUseLegacyProvider)
                 cfg.append("provider legacy:default\n");
+
+            if (!TextUtils.isEmpty(mTlSCertProfile))
+                cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile));
         } else {
             cfg.append("# Config for OpenVPN 3 C++\n");
         }
diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
index a1b1bcb6..4126f65c 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@@ -546,6 +546,21 @@ public class ConfigParser {
         {
             np.mDataCiphers = ncp_ciphers.get(1);
         }
+        Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1);
+        if (tls_cert_profile != null)
+        {
+            String profile = tls_cert_profile.get(1);
+            for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) {
+                if (choice.equals(profile)) {
+                    np.mTlSCertProfile = profile;
+                    break;
+                }
+            }
+            if (!profile.equals(np.mTlSCertProfile))
+            {
+                throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'");
+            }
+        }
 
 
         Vector<String> compatmode = getOption("compat-mode", 1, 1);
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index b82d70ca..6dc900a9 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -442,9 +442,7 @@
         MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.&lt;/p>&lt;p>
         You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
         near future.&lt;/p>
-        &lt;p>If you really want to use old and broken certificates use the custom
-        configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
-        imported configuration&lt;/p>
+        &lt;p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile&lt;/p>
     </string>
     <string name="volume_byte">%.0f B</string>
     <string name="volume_kbyte">%.1f kB</string>
@@ -499,7 +497,7 @@
     <string name="check_peer_fingerprint">Check peer certificate fingerprint</string>
     <string name="fingerprint">(Enter the SHA256 fingerprint of the server certificate(s))</string>
     <string name="proxy_info">HTTP Proxy: %1$s %2$d</string>
-    <string name="use_alwayson_vpn">Please you the Always-On Feature of Android to enable VPN at boot time.</string>
+    <string name="use_alwayson_vpn">Please use the Always-On Feature of Android to enable VPN at boot time.</string>
     <string name="open_vpn_settings">Open VPN Settings</string>
     <string name="trigger_pending_auth_dialog">Press here open a window to enter additional required authentication</string>
     <string name="compatmode">Compatibility Mode</string>
diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
index 1e49f2e6..da652ef9 100644
--- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
+++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@@ -3,6 +3,7 @@ package de.blinkt.openvpn.core;
 import android.annotation.SuppressLint;
 import android.content.Context;
 import android.provider.Settings;
+import android.text.TextUtils;
 
 import net.openvpn.ovpn3.ClientAPI_Config;
 import net.openvpn.ovpn3.ClientAPI_EvalConfig;
@@ -183,6 +184,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
         boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT;
         config.setRetryOnAuthFailed(retryOnAuthFailed);
         config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider);
+        if (!TextUtils.isEmpty(mVp.mTlSCertProfile))
+            config.setTlsCertProfileOverride(mVp.mTlSCertProfile);
 
         ClientAPI_EvalConfig ec = eval_config(config);
         if (ec.getExternalPki()) {
diff --git a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
index 8756b5b0..2130cdef 100644
--- a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
+++ b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
@@ -302,6 +302,9 @@ object Utils {
         if (vp.mCompatMode > 0 )
             warnings.add("compat mode enabled")
 
+        if ("insecure".equals(vp.mTlSCertProfile))
+            warnings.add("low security (TLS security profile 'insecure' selected)");
+
         var cipher= vp.mCipher.toUpperCase(Locale.ROOT)
         if (cipher.isNullOrEmpty())
             cipher = "BF-CBC";