diff options
author | Arne Schwabe <arne@rfc2549.org> | 2017-06-26 15:48:13 +0200 |
---|---|---|
committer | Arne Schwabe <arne@rfc2549.org> | 2017-06-26 16:17:03 +0200 |
commit | e0febec022b8308143d4030f0c0391cfefd1a847 (patch) | |
tree | eca60796b48bc4bfb66855877b26dd50e29fbf96 /main/src | |
parent | 5e27e89ca45996b0f80db93f9235c2b13e3b6689 (diff) |
Add more info about weak hashes, version 0.6.73v0.6.73-productionv0.6.73
Diffstat (limited to 'main/src')
4 files changed, 13 insertions, 3 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java index 40d54519..75514930 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java +++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java @@ -152,6 +152,7 @@ public class OpenVPNThread implements Runnable { Pattern p = Pattern.compile("(\\d+).(\\d+) ([0-9a-f])+ (.*)");
Matcher m = p.matcher(logline);
+ int logerror = 0;
if (m.matches()) {
int flags = Integer.parseInt(m.group(3), 16);
String msg = m.group(4);
@@ -171,8 +172,13 @@ public class OpenVPNThread implements Runnable { if (msg.startsWith("MANAGEMENT: CMD"))
logLevel = Math.max(4, logLevel);
+ if ((msg.endsWith("md too weak") && msg.startsWith("OpenSSL: error")) || msg.contains("error:140AB18E"))
+ logerror = 1;
VpnStatus.logMessageOpenVPN(logStatus, logLevel, msg);
+ if (logerror==1)
+ VpnStatus.logError("OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes");
+
} else {
VpnStatus.logInfo("P:" + logline);
}
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java index 82b4c5bd..0332a713 100644 --- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java +++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java @@ -112,6 +112,7 @@ public class FaqFragment extends Fragment { new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_howto_title, R.string.faq_howto), + new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.weakmd_title, R.string.weakmd), new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.samsung_broken_title, R.string.samsung_broken), new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_duplicate_notification_title, R.string.faq_duplicate_notification), @@ -119,7 +120,7 @@ public class FaqFragment extends Fragment { new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_androids_clients_title, R.string.faq_android_clients), - new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall), + new FAQEntry(Build.VERSION_CODES.LOLLIPOP, Build.VERSION_CODES.LOLLIPOP_MR1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall), new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, Build.VERSION_CODES.JELLY_BEAN_MR2, R.string.vpn_tethering_title, R.string.faq_tethering), diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java index 223048b9..0be9f4a2 100644 --- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java +++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java @@ -76,7 +76,8 @@ public class FaqViewAdapter extends RecyclerView.Adapter<FaqViewAdapter.FaqViewH mHtmlEntriesTitle[i] = Html.fromHtml(title); } - mHtmlEntries[i] = Html.fromHtml(textColor + mContext.getString(faqItems[i].description)); + String content = mContext.getString(faqItems[i].description); + mHtmlEntries[i] = Html.fromHtml(textColor + content); // Add hack R.string.faq_system_dialogs_title -> R.string.faq_system_dialog_xposed if (faqItems[i].title == R.string.faq_system_dialogs_title) diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index cbd9c06b..c63ec601 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -436,8 +436,9 @@ <string name="kbits_per_second">%.1f kbit/s</string> <string name="mbits_per_second">%.1f Mbit/s</string> <string name="gbits_per_second">%.1f Gbit/s</string> + <string name="weakmd"><p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like MD5.</p><p><b>MD5 signatures are insecure and should not be used anymore.</b> MD5 collisions can be created in <a href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.</a>. You should update the VPN certificates as soon as possible.</p><p>Unfortunately, older easy-rsa distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to the <a href="https://github.com/OpenVPN/easy-rsa/releases">latest version</a>) or change md5 to sha256 and regenerate your certificates.</p><p>If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration</p></string> - <string name="volume_byte">%.0f B</string> +<string name="volume_byte">%.0f B</string> <string name="volume_kbyte">%.1f kB</string> <string name="volume_mbyte">%.1f MB</string> <string name="volume_gbyte">%.1f GB</string> @@ -445,5 +446,6 @@ <string name="channel_description_background">Ongoing statistics of the established OpenVPN connection</string> <string name="channel_name_status">Connection status change</string> <string name="channel_description_status">Status changes of the OpenVPN connection (Connecting, authenticating,…)</string> + <string name="weakmd_title">Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak)</string> </resources> |