Add more info about weak hashes, version 0.6.73v0.6.73-production v0.6.73

author: Arne Schwabe <arne@rfc2549.org> 2017-06-26 15:48:13 +0200
committer: Arne Schwabe <arne@rfc2549.org> 2017-06-26 16:17:03 +0200
commit: e0febec022b8308143d4030f0c0391cfefd1a847 (patch)
tree: eca60796b48bc4bfb66855877b26dd50e29fbf96 /main
parent: 5e27e89ca45996b0f80db93f9235c2b13e3b6689 (diff)
5 files changed, 15 insertions, 5 deletions
diff --git a/main/build.gradle b/main/build.gradle
index be6948f0..551fda43 100644
--- a/main/build.gradle
+++ b/main/build.gradle
@@ -35,8 +35,8 @@ android {
     defaultConfig {
         minSdkVersion 14
         targetSdkVersion 26
-        versionCode = 152
-        versionName = "0.6.72"
+        versionCode = 153
+        versionName = "0.6.73"
     }
 
     sourceSets {
diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
index 40d54519..75514930 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java
@@ -152,6 +152,7 @@ public class OpenVPNThread implements Runnable {
 
                 Pattern p = Pattern.compile("(\\d+).(\\d+) ([0-9a-f])+ (.*)");
                 Matcher m = p.matcher(logline);
+                int logerror = 0;
                 if (m.matches()) {
                     int flags = Integer.parseInt(m.group(3), 16);
                     String msg = m.group(4);
@@ -171,8 +172,13 @@ public class OpenVPNThread implements Runnable {
                     if (msg.startsWith("MANAGEMENT: CMD"))
                         logLevel = Math.max(4, logLevel);
 
+                    if ((msg.endsWith("md too weak") && msg.startsWith("OpenSSL: error")) || msg.contains("error:140AB18E"))
+                        logerror = 1;
 
                     VpnStatus.logMessageOpenVPN(logStatus, logLevel, msg);
+                    if (logerror==1)
+                        VpnStatus.logError("OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes");
+
                 } else {
                     VpnStatus.logInfo("P:" + logline);
                 }
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
index 82b4c5bd..0332a713 100644
--- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
+++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java
@@ -112,6 +112,7 @@ public class FaqFragment extends Fragment {
 
             new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_howto_title, R.string.faq_howto),
 
+            new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.weakmd_title, R.string.weakmd),
             new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.samsung_broken_title, R.string.samsung_broken),
 
             new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_duplicate_notification_title, R.string.faq_duplicate_notification),
@@ -119,7 +120,7 @@ public class FaqFragment extends Fragment {
             new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_androids_clients_title, R.string.faq_android_clients),
 
 
-            new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall),
+            new FAQEntry(Build.VERSION_CODES.LOLLIPOP, Build.VERSION_CODES.LOLLIPOP_MR1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall),
 
 
             new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, Build.VERSION_CODES.JELLY_BEAN_MR2, R.string.vpn_tethering_title, R.string.faq_tethering),
diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java
index 223048b9..0be9f4a2 100644
--- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java
+++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java
@@ -76,7 +76,8 @@ public class FaqViewAdapter extends RecyclerView.Adapter<FaqViewAdapter.FaqViewH
                 mHtmlEntriesTitle[i] = Html.fromHtml(title);
             }
 
-            mHtmlEntries[i] = Html.fromHtml(textColor + mContext.getString(faqItems[i].description));
+            String content = mContext.getString(faqItems[i].description);
+            mHtmlEntries[i] = Html.fromHtml(textColor + content);
 
             // Add hack R.string.faq_system_dialogs_title -> R.string.faq_system_dialog_xposed
             if (faqItems[i].title == R.string.faq_system_dialogs_title)
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index cbd9c06b..c63ec601 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -436,8 +436,9 @@
     <string name="kbits_per_second">%.1f kbit/s</string>
     <string name="mbits_per_second">%.1f Mbit/s</string>
     <string name="gbits_per_second">%.1f Gbit/s</string>
+    <string name="weakmd">&lt;p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like MD5.&lt;/p>&lt;p>&lt;b>MD5 signatures are insecure and should not be used anymore.&lt;/b> MD5 collisions can be created in &lt;a href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.&lt;/a>. You should update the VPN certificates as soon as possible.&lt;/p>&lt;p>Unfortunately, older easy-rsa distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to the &lt;a href="https://github.com/OpenVPN/easy-rsa/releases">latest version&lt;/a>) or change md5 to sha256 and regenerate your certificates.&lt;/p>&lt;p>If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration&lt;/p></string>
 
-    <string name="volume_byte">%.0f B</string>
+<string name="volume_byte">%.0f B</string>
     <string name="volume_kbyte">%.1f kB</string>
     <string name="volume_mbyte">%.1f MB</string>
     <string name="volume_gbyte">%.1f GB</string>
@@ -445,5 +446,6 @@
     <string name="channel_description_background">Ongoing statistics of the established OpenVPN connection</string>
     <string name="channel_name_status">Connection status change</string>
     <string name="channel_description_status">Status changes of the  OpenVPN connection (Connecting, authenticating,…)</string>
+    <string name="weakmd_title">Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak)</string>
 
 </resources>
author	Arne Schwabe <arne@rfc2549.org>	2017-06-26 15:48:13 +0200
committer	Arne Schwabe <arne@rfc2549.org>	2017-06-26 16:17:03 +0200
commit	e0febec022b8308143d4030f0c0391cfefd1a847 (patch)
tree	eca60796b48bc4bfb66855877b26dd50e29fbf96 /main
parent	5e27e89ca45996b0f80db93f9235c2b13e3b6689 (diff)