diff options
Diffstat (limited to 'main/src/main')
-rw-r--r-- | main/src/main/cpp/CMakeLists.txt | 2 | ||||
m--------- | main/src/main/cpp/openvpn | 0 | ||||
m--------- | main/src/main/cpp/openvpn3 | 0 | ||||
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 3 | ||||
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java | 15 | ||||
-rwxr-xr-x | main/src/main/res/values/strings.xml | 6 |
6 files changed, 21 insertions, 5 deletions
diff --git a/main/src/main/cpp/CMakeLists.txt b/main/src/main/cpp/CMakeLists.txt index a4689802..1a1176bd 100644 --- a/main/src/main/cpp/CMakeLists.txt +++ b/main/src/main/cpp/CMakeLists.txt @@ -91,7 +91,7 @@ if (NOT ${CMAKE_LIBRARY_OUTPUT_DIRECTORY} MATCHES "build/intermediates/cmake/.*s -DNO_ROUTE_EXCLUDE_EMULATION -DOPENVPN_SHOW_SESSION_TOKEN -DOPENSSL_API_COMPAT=0x10200000L - + -DOPENVPN_ALLOW_INSECURE_CERTPROFILE ) else () message("Not budiling OpenVPN for output dir ${CMAKE_LIBRARY_OUTPUT_DIRECTORY}") diff --git a/main/src/main/cpp/openvpn b/main/src/main/cpp/openvpn -Subproject 6857da80d8ac395e457df4f8ea5d7d9260137a0 +Subproject 5800c9b4ee989e4b27428669af0a36353d37761 diff --git a/main/src/main/cpp/openvpn3 b/main/src/main/cpp/openvpn3 -Subproject dfa16e552e3dca8aa11766a5db0c097060c8a7d +Subproject d5c5efaf01aaf5317de4900a78558ca53761bbf diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index 84e7975d..fd30ea5a 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -385,6 +385,9 @@ public class VpnProfile implements Serializable, Cloneable { if (mUseLegacyProvider) cfg.append("provider legacy:default\n"); + + if (!TextUtils.isEmpty(mTlSCertProfile)) + cfg.append(String.format("tls-cert-profile %s\n", mTlSCertProfile)); } else { cfg.append("# Config for OpenVPN 3 C++\n"); } diff --git a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java index a1b1bcb6..4126f65c 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java +++ b/main/src/main/java/de/blinkt/openvpn/core/ConfigParser.java @@ -546,6 +546,21 @@ public class ConfigParser { { np.mDataCiphers = ncp_ciphers.get(1); } + Vector<String> tls_cert_profile = getOption("tls-cert-profile", 1, 1); + if (tls_cert_profile != null) + { + String profile = tls_cert_profile.get(1); + for (String choice : new String[]{"insecure", "preferred", "legacy", "suiteb"}) { + if (choice.equals(profile)) { + np.mTlSCertProfile = profile; + break; + } + } + if (!profile.equals(np.mTlSCertProfile)) + { + throw new ConfigParseError("Invalid tls-cert-profile '" + profile + "'"); + } + } Vector<String> compatmode = getOption("compat-mode", 1, 1); diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index b82d70ca..6dc900a9 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -442,9 +442,7 @@ MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p> You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the near future.</p> - <p>If you really want to use old and broken certificates use the custom - configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your - imported configuration</p> + <p>If you really want to use old and broken certificates select "insecure" for the TLS security profile under Authentication/Encryption of the profile</p> </string> <string name="volume_byte">%.0f B</string> <string name="volume_kbyte">%.1f kB</string> @@ -499,7 +497,7 @@ <string name="check_peer_fingerprint">Check peer certificate fingerprint</string> <string name="fingerprint">(Enter the SHA256 fingerprint of the server certificate(s))</string> <string name="proxy_info">HTTP Proxy: %1$s %2$d</string> - <string name="use_alwayson_vpn">Please you the Always-On Feature of Android to enable VPN at boot time.</string> + <string name="use_alwayson_vpn">Please use the Always-On Feature of Android to enable VPN at boot time.</string> <string name="open_vpn_settings">Open VPN Settings</string> <string name="trigger_pending_auth_dialog">Press here open a window to enter additional required authentication</string> <string name="compatmode">Compatibility Mode</string> |