From e0febec022b8308143d4030f0c0391cfefd1a847 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Mon, 26 Jun 2017 15:48:13 +0200 Subject: Add more info about weak hashes, version 0.6.73 --- main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java | 6 ++++++ main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java | 3 ++- main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java | 3 ++- main/src/main/res/values/strings.xml | 4 +++- 4 files changed, 13 insertions(+), 3 deletions(-) (limited to 'main/src') diff --git a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java index 40d54519..75514930 100644 --- a/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java +++ b/main/src/main/java/de/blinkt/openvpn/core/OpenVPNThread.java @@ -152,6 +152,7 @@ public class OpenVPNThread implements Runnable { Pattern p = Pattern.compile("(\\d+).(\\d+) ([0-9a-f])+ (.*)"); Matcher m = p.matcher(logline); + int logerror = 0; if (m.matches()) { int flags = Integer.parseInt(m.group(3), 16); String msg = m.group(4); @@ -171,8 +172,13 @@ public class OpenVPNThread implements Runnable { if (msg.startsWith("MANAGEMENT: CMD")) logLevel = Math.max(4, logLevel); + if ((msg.endsWith("md too weak") && msg.startsWith("OpenSSL: error")) || msg.contains("error:140AB18E")) + logerror = 1; VpnStatus.logMessageOpenVPN(logStatus, logLevel, msg); + if (logerror==1) + VpnStatus.logError("OpenSSL reproted a certificate with a weak hash, please the in app FAQ about weak hashes"); + } else { VpnStatus.logInfo("P:" + logline); } diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java index 82b4c5bd..0332a713 100644 --- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java +++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqFragment.java @@ -112,6 +112,7 @@ public class FaqFragment extends Fragment { new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_howto_title, R.string.faq_howto), + new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.weakmd_title, R.string.weakmd), new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.samsung_broken_title, R.string.samsung_broken), new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_duplicate_notification_title, R.string.faq_duplicate_notification), @@ -119,7 +120,7 @@ public class FaqFragment extends Fragment { new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, -1, R.string.faq_androids_clients_title, R.string.faq_android_clients), - new FAQEntry(Build.VERSION_CODES.LOLLIPOP, -1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall), + new FAQEntry(Build.VERSION_CODES.LOLLIPOP, Build.VERSION_CODES.LOLLIPOP_MR1, R.string.ab_lollipop_reinstall_title, R.string.ab_lollipop_reinstall), new FAQEntry(Build.VERSION_CODES.ICE_CREAM_SANDWICH, Build.VERSION_CODES.JELLY_BEAN_MR2, R.string.vpn_tethering_title, R.string.faq_tethering), diff --git a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java index 223048b9..0be9f4a2 100644 --- a/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java +++ b/main/src/main/java/de/blinkt/openvpn/fragments/FaqViewAdapter.java @@ -76,7 +76,8 @@ public class FaqViewAdapter extends RecyclerView.Adapter R.string.faq_system_dialog_xposed if (faqItems[i].title == R.string.faq_system_dialogs_title) diff --git a/main/src/main/res/values/strings.xml b/main/src/main/res/values/strings.xml index cbd9c06b..c63ec601 100755 --- a/main/src/main/res/values/strings.xml +++ b/main/src/main/res/values/strings.xml @@ -436,8 +436,9 @@ %.1f kbit/s %.1f Mbit/s %.1f Gbit/s + <p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like MD5.</p><p><b>MD5 signatures are insecure and should not be used anymore.</b> MD5 collisions can be created in <a href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.</a>. You should update the VPN certificates as soon as possible.</p><p>Unfortunately, older easy-rsa distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to the <a href="https://github.com/OpenVPN/easy-rsa/releases">latest version</a>) or change md5 to sha256 and regenerate your certificates.</p><p>If you really want to use old and broken certificates use the custom configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your imported configuration</p> - %.0f B +%.0f B %.1f kB %.1f MB %.1f GB @@ -445,5 +446,6 @@ Ongoing statistics of the established OpenVPN connection Connection status change Status changes of the OpenVPN connection (Connecting, authenticating,…) + Weak (MD5) hashes in certificate signature (SSL_CTX_use_certificate md too weak) -- cgit v1.2.3