Fix warning with mCipher=nulll and add OpenVPN3 related warning

2 files changed, 22 insertions, 9 deletions

diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 599647b0..115a9d03 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -867,8 +867,7 @@ public class VpnProfile implements Serializable, Cloneable {
     }
 
     private X509Certificate[] getKeyStoreCertificates(Context context) throws KeyChainException, InterruptedException {
-        PrivateKey privateKey = KeyChain.getPrivateKey(context, mAlias);
-        mPrivateKey = privateKey;
+        mPrivateKey = KeyChain.getPrivateKey(context, mAlias);
 
 
         X509Certificate[] caChain = KeyChain.getCertificateChain(context, mAlias);
@@ -1059,6 +1058,22 @@ public class VpnProfile implements Serializable, Cloneable {
             }
         }
 
+        String dataciphers = "";
+        if (!TextUtils.isEmpty(dataciphers))
+            dataciphers = mDataCiphers.toUpperCase(Locale.ROOT);
+
+        String cipher = "BF-CBC";
+        if (!TextUtils.isEmpty(mCipher))
+            cipher = mCipher.toUpperCase(Locale.ROOT);
+
+        if (!mUseLegacyProvider &&
+                (dataciphers.contains("BF-CBC")
+                || ((mCompatMode > 0 && mCompatMode < 20500) || useOpenVPN3)
+                && cipher.equals("BF-CBC")))
+        {
+            return R.string.bf_cbc_requires_legacy;
+        }
+
         // Everything okay
         return R.string.no_error_found;
 
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index e93275e8..0fa36c05 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -440,13 +440,10 @@
     <string name="mbits_per_second">%.1f Mbit/s</string>
     <string name="gbits_per_second">%.1f Gbit/s</string>
     <string name="weakmd">&lt;p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like
-        MD5.&lt;/p>&lt;p>&lt;b>MD5 signatures are completely insecure and should not be used anymore.&lt;/b> MD5
-        collisions can be created in &lt;a
-        href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.&lt;/a>.
-        You should update the VPN certificates as soon as possible.&lt;/p>&lt;p>Unfortunately, older easy-rsa
-        distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to
-        the &lt;a href="https://github.com/OpenVPN/easy-rsa/releases">latest version&lt;/a>) or change md5 to sha256 and
-        regenerate your certificates.&lt;/p>&lt;p>If you really want to use old and broken certificates use the custom
+        MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.&lt;/p>&lt;p>
+        You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
+        near future.&lt;/p>
+        &lt;p>If you really want to use old and broken certificates use the custom
         configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
         imported configuration&lt;/p>
     </string>
@@ -512,5 +509,6 @@
     <string name="compatmode">Compatibility Mode</string>
     <string name="compat_mode_label">Compatibility mode</string>
     <string name="loadossllegacy">Load OpenSSL legacy provider</string>
+    <string name="bf_cbc_requires_legacy">Profiles uses BF-CBC which depends on OpenSSL legacy provider (not enabled).</string>
 
 </resources>