summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--main/src/main/cpp/CMakeLists.txt2
m---------main/src/main/cpp/openvpn0
m---------main/src/main/cpp/openvpn30
-rw-r--r--main/src/main/java/de/blinkt/openvpn/VpnProfile.java3
-rw-r--r--main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java15
-rwxr-xr-xmain/src/main/res/values/strings.xml6
-rw-r--r--main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java3
-rw-r--r--main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt3
8 files changed, 27 insertions, 5 deletions
diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt
index a4689802..1a1176bd 100644
--- a/main/src/main/cpp/CMakeLists.txt
+++ b/main/src/main/cpp/CMakeLists.txt
@@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s
-DNO_ROUTE_EXCLUDE_EMULATION
-DOPENVPN_SHOW_SESSION_TOKEN
-DOPENSSL_API_COMPAT=0x10200000L
-
+ -DOPENVPN_ALLOW_INSECURE_CERTPROFILE
)
else ()
message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}")
diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn
-Subproject 6857da80d8ac395e457df4f8ea5d7d9260137a0
+Subproject 5800c9b4ee989e4b27428669af0a36353d37761
diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3
-Subproject dfa16e552e3dca8aa11766a5db0c097060c8a7d
+Subproject d5c5efaf01aaf5317de4900a78558ca53761bbf
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 84e7975d..fd30ea5a 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable {
if (mUseLegacyProvider)
cfg.append("provider legacy:default\n");
+
+ if (!TextUtils.isEmpty(mTlSCertProfile))
+ cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile));
} else {
cfg.append("# Config for OpenVPN 3 C++\n");
}
diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
index a1b1bcb6..4126f65c 100644
--- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
+++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java
@@ -546,6 +546,21 @@ public class ConfigParser {
{
np.mDataCiphers = ncp_ciphers.get(1);
}
+ Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1);
+ if (tls_cert_profile != null)
+ {
+ String profile = tls_cert_profile.get(1);
+ for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) {
+ if (choice.equals(profile)) {
+ np.mTlSCertProfile = profile;
+ break;
+ }
+ }
+ if (!profile.equals(np.mTlSCertProfile))
+ {
+ throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'");
+ }
+ }
Vector<String> compatmode = getOption("compat-mode", 1, 1);
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index b82d70ca..6dc900a9 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -442,9 +442,7 @@
MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.&lt;/p>&lt;p>
You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
near future.&lt;/p>
- &lt;p>If you really want to use old and broken certificates use the custom
- configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
- imported configuration&lt;/p>
+ &lt;p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile&lt;/p>
</string>
<string name="volume_byte">%.0f B</string>
<string name="volume_kbyte">%.1f kB</string>
@@ -499,7 +497,7 @@
<string name="check_peer_fingerprint">Check peer certificate fingerprint</string>
<string name="fingerprint">(Enter the SHA256 fingerprint of the server certificate(s))</string>
<string name="proxy_info">HTTP Proxy: %1$s %2$d</string>
- <string name="use_alwayson_vpn">Please you the Always-On Feature of Android to enable VPN at boot time.</string>
+ <string name="use_alwayson_vpn">Please use the Always-On Feature of Android to enable VPN at boot time.</string>
<string name="open_vpn_settings">Open VPN Settings</string>
<string name="trigger_pending_auth_dialog">Press here open a window to enter additional required authentication</string>
<string name="compatmode">Compatibility Mode</string>
diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
index 1e49f2e6..da652ef9 100644
--- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
+++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java
@@ -3,6 +3,7 @@ package de.blinkt.openvpn.core;
import android.annotation.SuppressLint;
import android.content.Context;
import android.provider.Settings;
+import android.text.TextUtils;
import net.openvpn.ovpn3.ClientAPI_Config;
import net.openvpn.ovpn3.ClientAPI_EvalConfig;
@@ -183,6 +184,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable
boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT;
config.setRetryOnAuthFailed(retryOnAuthFailed);
config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider);
+ if (!TextUtils.isEmpty(mVp.mTlSCertProfile))
+ config.setTlsCertProfileOverride(mVp.mTlSCertProfile);
ClientAPI_EvalConfig ec = eval_config(config);
if (ec.getExternalPki()) {
diff --git a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
index 8756b5b0..2130cdef 100644
--- a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
+++ b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt
@@ -302,6 +302,9 @@ object Utils {
if (vp.mCompatMode > 0 )
warnings.add("compat mode enabled")
+ if ("insecure".equals(vp.mTlSCertProfile))
+ warnings.add("low security (TLS security profile 'insecure' selected)");
+
var cipher= vp.mCipher.toUpperCase(Locale.ROOT)
if (cipher.isNullOrEmpty())
cipher = "BF-CBC";