diff options
Diffstat (limited to 'main/src')
-rw-r--r-- | main/src/main/java/de/blinkt/openvpn/VpnProfile.java | 19 | ||||
-rwxr-xr-x | main/src/main/res/values/strings.xml | 12 |
2 files changed, 22 insertions, 9 deletions
diff --git a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java index 599647b0..115a9d03 100644 --- a/main/src/main/java/de/blinkt/openvpn/VpnProfile.java +++ b/main/src/main/java/de/blinkt/openvpn/VpnProfile.java @@ -867,8 +867,7 @@ public class VpnProfile implements Serializable, Cloneable { } private X509Certificate[] getKeyStoreCertificates(Context context) throws KeyChainException, InterruptedException { - PrivateKey privateKey = KeyChain.getPrivateKey(context, mAlias); - mPrivateKey = privateKey; + mPrivateKey = KeyChain.getPrivateKey(context, mAlias); X509Certificate[] caChain = KeyChain.getCertificateChain(context, mAlias); @@ -1059,6 +1058,22 @@ public class VpnProfile implements Serializable, Cloneable { } } + String dataciphers = ""; + if (!TextUtils.isEmpty(dataciphers)) + dataciphers = mDataCiphers.toUpperCase(Locale.ROOT); + + String cipher = "BF-CBC"; + if (!TextUtils.isEmpty(mCipher)) + cipher = mCipher.toUpperCase(Locale.ROOT); + + if (!mUseLegacyProvider && + (dataciphers.contains("BF-CBC") + || ((mCompatMode > 0 && mCompatMode < 20500) || useOpenVPN3) + && cipher.equals("BF-CBC"))) + { + return R.string.bf_cbc_requires_legacy; + } + // Everything okay return R.string.no_error_found; diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index e93275e8..0fa36c05 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -440,13 +440,10 @@ <string name="mbits_per_second">%.1f Mbit/s</string> <string name="gbits_per_second">%.1f Gbit/s</string> <string name="weakmd"><p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like - MD5.</p><p><b>MD5 signatures are completely insecure and should not be used anymore.</b> MD5 - collisions can be created in <a - href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.</a>. - You should update the VPN certificates as soon as possible.</p><p>Unfortunately, older easy-rsa - distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to - the <a href="https://github.com/OpenVPN/easy-rsa/releases">latest version</a>) or change md5 to sha256 and - regenerate your certificates.</p><p>If you really want to use old and broken certificates use the custom + MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p> + You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the + near future.</p> + <p>If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration</p> </string> @@ -512,5 +509,6 @@ <string name="compatmode">Compatibility Mode</string> <string name="compat_mode_label">Compatibility mode</string> <string name="loadossllegacy">Load OpenSSL legacy provider</string> + <string name="bf_cbc_requires_legacy">Profiles uses BF-CBC which depends on OpenSSL legacy provider (not enabled).</string> </resources> |