summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--main/src/main/java/de/blinkt/openvpn/VpnProfile.java19
-rwxr-xr-xmain/src/main/res/values/strings.xml12
2 files changed, 22 insertions, 9 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
index 599647b0..115a9d03 100644
--- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
+++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java
@@ -867,8 +867,7 @@ public class VpnProfile implements Serializable, Cloneable {
}
private X509Certificate[] getKeyStoreCertificates(Context context) throws KeyChainException, InterruptedException {
- PrivateKey privateKey = KeyChain.getPrivateKey(context, mAlias);
- mPrivateKey = privateKey;
+ mPrivateKey = KeyChain.getPrivateKey(context, mAlias);
X509Certificate[] caChain = KeyChain.getCertificateChain(context, mAlias);
@@ -1059,6 +1058,22 @@ public class VpnProfile implements Serializable, Cloneable {
}
}
+ String dataciphers = "";
+ if (!TextUtils.isEmpty(dataciphers))
+ dataciphers = mDataCiphers.toUpperCase(Locale.ROOT);
+
+ String cipher = "BF-CBC";
+ if (!TextUtils.isEmpty(mCipher))
+ cipher = mCipher.toUpperCase(Locale.ROOT);
+
+ if (!mUseLegacyProvider &&
+ (dataciphers.contains("BF-CBC")
+ || ((mCompatMode > 0 && mCompatMode < 20500) || useOpenVPN3)
+ && cipher.equals("BF-CBC")))
+ {
+ return R.string.bf_cbc_requires_legacy;
+ }
+
// Everything okay
return R.string.no_error_found;
diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml
index e93275e8..0fa36c05 100755
--- a/main/src/main/res/values/strings.xml
+++ b/main/src/main/res/values/strings.xml
@@ -440,13 +440,10 @@
<string name="mbits_per_second">%.1f Mbit/s</string>
<string name="gbits_per_second">%.1f Gbit/s</string>
<string name="weakmd">&lt;p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like
- MD5.&lt;/p>&lt;p>&lt;b>MD5 signatures are completely insecure and should not be used anymore.&lt;/b> MD5
- collisions can be created in &lt;a
- href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.&lt;/a>.
- You should update the VPN certificates as soon as possible.&lt;/p>&lt;p>Unfortunately, older easy-rsa
- distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to
- the &lt;a href="https://github.com/OpenVPN/easy-rsa/releases">latest version&lt;/a>) or change md5 to sha256 and
- regenerate your certificates.&lt;/p>&lt;p>If you really want to use old and broken certificates use the custom
+ MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.&lt;/p>&lt;p>
+ You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
+ near future.&lt;/p>
+ &lt;p>If you really want to use old and broken certificates use the custom
configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
imported configuration&lt;/p>
</string>
@@ -512,5 +509,6 @@
<string name="compatmode">Compatibility Mode</string>
<string name="compat_mode_label">Compatibility mode</string>
<string name="loadossllegacy">Load OpenSSL legacy provider</string>
+ <string name="bf_cbc_requires_legacy">Profiles uses BF-CBC which depends on OpenSSL legacy provider (not enabled).</string>
</resources>