summaryrefslogtreecommitdiff
path: root/main
diff options
context:
space:
mode:
authorArne Schwabe <arne@rfc2549.org>2017-06-26 15:48:13 +0200
committerArne Schwabe <arne@rfc2549.org>2017-06-26 16:17:03 +0200
commite0febec022b8308143d4030f0c0391cfefd1a847 (patch)
treeeca60796b48bc4bfb66855877b26dd50e29fbf96 /main
parent5e27e89ca45996b0f80db93f9235c2b13e3b6689 (diff)
Add more info about weak hashes, version 0.6.73v0.6.73-productionv0.6.73
Diffstat (limited to 'main')
-rw-r--r--main/build.gradle4
-rw-r--r--main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java6
-rw-r--r--main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java3
-rw-r--r--main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java3
-rwxr-xr-xmain/src/main/res/values/strings.xml4
5 files changed, 15 insertions, 5 deletions
diff --git a/main/build.gradle b/main/build.gradle
index be6948f0..551fda43 100644
--- a/main/build.gradle
+++ b/main/build.gradle
@@ -35,8 +35,8 @@ android {
defaultConfig {
minSdkVersion 14
targetSdkVersion 26
- versionCode = 152
- versionName = "0.6.72"
+ versionCode = 153
+ versionName = "0.6.73"
}
sourceSets {
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
index 40d54519..75514930 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
@@ -152,6 +152,7 @@ public class OpenVPNThread implements Runnable {
Pattern p = Pattern.compile("(\\d+).(\\d+) ([0-9a-f])+ (.*)");
Matcher m = p.matcher(logline);
+ int logerror = 0;
if (m.matches()) {
int flags = Integer.parseInt(m.group(3), 16);
String msg = m.group(4);
@@ -171,8 +172,13 @@ public class OpenVPNThread implements Runnable {
if (msg.startsWith("MANAGEMENT: CMD"))
logLevel = Math.max(4, logLevel);
+ if ((msg.endsWith("md too weak") && msg.startsWith("OpenSSL: error")) || msg.contains("error:140AB18E"))
+ logerror = 1;
VpnStatus.logMessageOpenVPN(logStatus, logLevel, msg);
+ if (logerror==1)
+ VpnStatus.logError("OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes");
+
} else {
VpnStatus.logInfo("P:" + logline);
}
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
index 82b4c5bd..0332a713 100644
--- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
+++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
@@ -112,6 +112,7 @@ public class FaqFragment extends Fragment {
new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_howto_title, R.string.faq_howto),
+ new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.weakmd_title, R.string.weakmd),
new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.samsung_broken_title, R.string.samsung_broken),
new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_duplicate_notification_title, R.string.faq_duplicate_notification),
@@ -119,7 +120,7 @@ public class FaqFragment extends Fragment {
new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_androids_clients_title, R.string.faq_android_clients),
- new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall),
+ new FAQEntry(Build.VERSION_CODES.LOLLIPOP, Build.VERSION_CODES.LOLLIPOP_MR1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall),
new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, Build.VERSION_CODES.JELLY_BEAN_MR2, R.string.vpn_tethering_title, R.string.faq_tethering),
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java
index 223048b9..0be9f4a2 100644
--- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java
+++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java
@@ -76,7 +76,8 @@ public class FaqViewAdapter extends RecyclerView.Adapter<FaqViewAdapter.FaqViewH
mHtmlEntriesTitle[i] = Html.fromHtml(title);
}
- mHtmlEntries[i] = Html.fromHtml(textColor + mContext.getString(faqItems[i].description));
+ String content = mContext.getString(faqItems[i].description);
+ mHtmlEntries[i] = Html.fromHtml(textColor + content);
// Add hack R.string.faq_system_dialogs_title -> R.string.faq_system_dialog_xposed
if (faqItems[i].title == R.string.faq_system_dialogs_title)
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index cbd9c06b..c63ec601 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -436,8 +436,9 @@
<string name="kbits_per_second">%.1f kbit/s</string>
<string name="mbits_per_second">%.1f Mbit/s</string>
<string name="gbits_per_second">%.1f Gbit/s</string>
+ <string name="weakmd">&lt;p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like MD5.&lt;/p>&lt;p>&lt;b>MD5 signatures are insecure and should not be used anymore.&lt;/b> MD5 collisions can be created in &lt;a href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.&lt;/a>. You should update the VPN certificates as soon as possible.&lt;/p>&lt;p>Unfortunately, older easy-rsa distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to the &lt;a href="https://github.com/OpenVPN/easy-rsa/releases">latest version&lt;/a>) or change md5 to sha256 and regenerate your certificates.&lt;/p>&lt;p>If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration&lt;/p></string>
- <string name="volume_byte">%.0f B</string>
+<string name="volume_byte">%.0f B</string>
<string name="volume_kbyte">%.1f kB</string>
<string name="volume_mbyte">%.1f MB</string>
<string name="volume_gbyte">%.1f GB</string>
@@ -445,5 +446,6 @@
<string name="channel_description_background">Ongoing statistics of the established OpenVPN connection</string>
<string name="channel_name_status">Connection status change</string>
<string name="channel_description_status">Status changes of the OpenVPN connection (Connecting, authenticating,…)</string>
+ <string name="weakmd_title">Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak)</string>
</resources>