diff options
-rw-r--r-- | main/src/main/cpp/CMakeLists.txt | 2 | ||||
m--------- | main/src/main/cpp/openvpn | 0 | ||||
m--------- | main/src/main/cpp/openvpn3 | 0 | ||||
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 3 | ||||
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java | 15 | ||||
-rwxr-xr-x | main/src/main/res/values/strings.xml | 6 | ||||
-rw-r--r-- | main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java | 3 | ||||
-rw-r--r-- | main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt | 3 |
8 files changed, 27 insertions, 5 deletions
diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt index a4689802..1a1176bd 100644 --- a/main/src/main/cpp/CMakeLists.txt +++ b/main/src/main/cpp/CMakeLists.txt @@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s -DNO_ROUTE_EXCLUDE_EMULATION -DOPENVPN_SHOW_SESSION_TOKEN -DOPENSSL_API_COMPAT=0x10200000L - + -DOPENVPN_ALLOW_INSECURE_CERTPROFILE ) else () message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}") diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn -Subproject 6857da80d8ac395e457df4f8ea5d7d9260137a0 +Subproject 5800c9b4ee989e4b27428669af0a36353d37761 diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3 -Subproject dfa16e552e3dca8aa11766a5db0c097060c8a7d +Subproject d5c5efaf01aaf5317de4900a78558ca53761bbf diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index 84e7975d..fd30ea5a 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable { if (mUseLegacyProvider) cfg.append("provider legacy:default\n"); + + if (!TextUtils.isEmpty(mTlSCertProfile)) + cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile)); } else { cfg.append("# Config for OpenVPN 3 C++\n"); } diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java index a1b1bcb6..4126f65c 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java +++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java @@ -546,6 +546,21 @@ public class ConfigParser { { np.mDataCiphers = ncp_ciphers.get(1); } + Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1); + if (tls_cert_profile != null) + { + String profile = tls_cert_profile.get(1); + for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) { + if (choice.equals(profile)) { + np.mTlSCertProfile = profile; + break; + } + } + if (!profile.equals(np.mTlSCertProfile)) + { + throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'"); + } + } Vector<String> compatmode = getOption("compat-mode", 1, 1); diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index b82d70ca..6dc900a9 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -442,9 +442,7 @@ MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p> You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the near future.</p> - <p>If you really want to use old and broken certificates use the custom - configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your - imported configuration</p> + <p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile</p> </string> <string name="volume_byte">%.0f B</string> <string name="volume_kbyte">%.1f kB</string> @@ -499,7 +497,7 @@ <string name="check_peer_fingerprint">Check peer certificate fingerprint</string> <string name="fingerprint">(Enter the SHA256 fingerprint of the server certificate(s))</string> <string name="proxy_info">HTTP Proxy: %1$s %2$d</string> - <string name="use_alwayson_vpn">Please you the Always-On Feature of Android to enable VPN at boot time.</string> + <string name="use_alwayson_vpn">Please use the Always-On Feature of Android to enable VPN at boot time.</string> <string name="open_vpn_settings">Open VPN Settings</string> <string name="trigger_pending_auth_dialog">Press here open a window to enter additional required authentication</string> <string name="compatmode">Compatibility Mode</string> diff --git a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java index 1e49f2e6..da652ef9 100644 --- a/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java +++ b/main/src/ui/java/de/blinkt/openvpn/core/OpenVPNThreadv3.java @@ -3,6 +3,7 @@ package de.blinkt.openvpn.core; import android.annotation.SuppressLint; import android.content.Context; import android.provider.Settings; +import android.text.TextUtils; import net.openvpn.ovpn3.ClientAPI_Config; import net.openvpn.ovpn3.ClientAPI_EvalConfig; @@ -183,6 +184,8 @@ public class OpenVPNThreadv3 extends ClientAPI_OpenVPNClient implements Runnable boolean retryOnAuthFailed = mVp.mAuthRetry == AUTH_RETRY_NOINTERACT; config.setRetryOnAuthFailed(retryOnAuthFailed); config.setEnableLegacyAlgorithms(mVp.mUseLegacyProvider); + if (!TextUtils.isEmpty(mVp.mTlSCertProfile)) + config.setTlsCertProfileOverride(mVp.mTlSCertProfile); ClientAPI_EvalConfig ec = eval_config(config); if (ec.getExternalPki()) { diff --git a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt index 8756b5b0..2130cdef 100644 --- a/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt +++ b/main/src/ui/java/de/blinkt/openvpn/fragments/Utils.kt @@ -302,6 +302,9 @@ object Utils { if (vp.mCompatMode > 0 ) warnings.add("compat mode enabled") + if ("insecure".equals(vp.mTlSCertProfile)) + warnings.add("low security (TLS security profile 'insecure' selected)"); + var cipher= vp.mCipher.toUpperCase(Locale.ROOT) if (cipher.isNullOrEmpty()) cipher = "BF-CBC"; |