0.7.31 openssl issue with cipher suite #1434

caseyng · 2022-01-03T17:00:38Z

caseyng
Jan 3, 2022

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

Android Version - 11
Android Vendor/Custom ROM - vivo funtouch os 10.5 (original rom)
Device - vivo v15 (aka vivo 1819)
Version of the app (version number/play store version/self-built) - 0.7.31

Description of the issue

Openvpn 0.7.29 was working for fine for me. When i upgraded to 0.7.31. the connection no longer works. I'm not sure exactly what's wrong but i suspect it to be the cipher suite that i'm using. Not sure how to set the suite though cuz my router has a limit options.

I think it is an OpenSSL problem, as 0.7.31 uses OpenSSL 3.0.1 but 0.7.29 uses OpenSSL 3.0.0. Can someone help to explain why the connection fails?

Also, when i set the tls security profile in 0.7.31 to insecure (as stated in the faq), the connection works. However, i don't see where my settings are insecure, and why the same configuration works for 0.7.29 but not for 0.7.31. I don't have to set my tls security profile to insecure in 0.7.29 though.

My cipher suite does not use md5, afaik. My openvpn client settings are at the bottom of the post.

All sensitive information have been redacted.

****** Log from 0.7.31 (aka non-working version) ******
2022-01-04 00:37:47 F-Droid built and signed version 0.7.31 running on vivo vivo 1819 (k71v1_64_bsp), Android 11 (RP1A.200720.012) API 30, ABI arm64-v8a, (vivo/1819N/1819N:11/RP1A.200720.012/compiler0623214610:user/release-keys)
2022-01-04 00:37:47 Building configuration…
2022-01-04 00:37:47 started Socket Thread
2022-01-04 00:37:47 Network Status: CONNECTED LTE to MOBILE xxxxx
2022-01-04 00:37:47 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-01-04 00:37:47 P:WARNING: linker: Warning: "/data/app/~~XhhQPzgOS_Mp--XuVZoF8A==/de.blinkt.openvpn-myTTQd7kMfY_yh_hrCjzcA==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-01-04 00:37:47 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-01-04 00:37:47 Note: --cipher is not set. OpenVPN versions before 2.6 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-01-04 00:37:47 Current Parameter Settings:
2022-01-04 00:37:47   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2022-01-04 00:37:47   mode = 0
2022-01-04 00:37:47   show_ciphers = DISABLED
2022-01-04 00:37:47   show_digests = DISABLED
2022-01-04 00:37:47   show_engines = DISABLED
2022-01-04 00:37:47   genkey = DISABLED
2022-01-04 00:37:47   genkey_filename = '[UNDEF]'
2022-01-04 00:37:47   key_pass_file = '[UNDEF]'
2022-01-04 00:37:47   show_tls_ciphers = DISABLED
2022-01-04 00:37:47   connect_retry_max = 0
2022-01-04 00:37:47 Connection profiles [0]:
2022-01-04 00:37:47   proto = udp
2022-01-04 00:37:47   local = '[UNDEF]'
2022-01-04 00:37:47   local_port = '[UNDEF]'
2022-01-04 00:37:47   remote = 'xxx.xxx.xxx.xxx'
2022-01-04 00:37:47   remote_port = 'yyyyy'
2022-01-04 00:37:47   remote_float = ENABLED
2022-01-04 00:37:47   bind_defined = DISABLED
2022-01-04 00:37:47   bind_local = DISABLED
2022-01-04 00:37:47   bind_ipv6_only = DISABLED
2022-01-04 00:37:47   connect_retry_seconds = 2
2022-01-04 00:37:47   connect_timeout = 120
2022-01-04 00:37:47   socks_proxy_server = '[UNDEF]'
2022-01-04 00:37:47 Waiting 0s seconds between connection attempt
2022-01-04 00:37:47   socks_proxy_port = '[UNDEF]'
2022-01-04 00:37:47   tun_mtu = 1500
2022-01-04 00:37:47   tun_mtu_defined = ENABLED
2022-01-04 00:37:47   link_mtu = 1500
2022-01-04 00:37:47   link_mtu_defined = DISABLED
2022-01-04 00:37:47   tun_mtu_extra = 0
2022-01-04 00:37:47   tun_mtu_extra_defined = DISABLED
2022-01-04 00:37:47   mtu_discover_type = -1
2022-01-04 00:37:47   fragment = 0
2022-01-04 00:37:47   mssfix = 1450
2022-01-04 00:37:47   explicit_exit_notification = 0
2022-01-04 00:37:47   tls_auth_file = '[UNDEF]'
2022-01-04 00:37:47   key_direction = not set
2022-01-04 00:37:47   tls_crypt_file = '[INLINE]'
2022-01-04 00:37:47   tls_crypt_v2_file = '[UNDEF]'
2022-01-04 00:37:47 Connection profiles END
2022-01-04 00:37:47   remote_random = DISABLED
2022-01-04 00:37:47   ipchange = '[UNDEF]'
2022-01-04 00:37:47   dev = 'tun'
2022-01-04 00:37:47   dev_type = '[UNDEF]'
2022-01-04 00:37:47   dev_node = '[UNDEF]'
2022-01-04 00:37:47   lladdr = '[UNDEF]'
2022-01-04 00:37:47   topology = 1
2022-01-04 00:37:47   ifconfig_local = '[UNDEF]'
2022-01-04 00:37:47   ifconfig_remote_netmask = '[UNDEF]'
2022-01-04 00:37:47   ifconfig_noexec = DISABLED
2022-01-04 00:37:47   ifconfig_nowarn = ENABLED
2022-01-04 00:37:47   ifconfig_ipv6_local = '[UNDEF]'
2022-01-04 00:37:47   ifconfig_ipv6_netbits = 0
2022-01-04 00:37:47   ifconfig_ipv6_remote = '[UNDEF]'
2022-01-04 00:37:47   shaper = 0
2022-01-04 00:37:47   mtu_test = 0
2022-01-04 00:37:47   mlock = DISABLED
2022-01-04 00:37:47   keepalive_ping = 15
2022-01-04 00:37:47   keepalive_timeout = 60
2022-01-04 00:37:47   inactivity_timeout = 0
2022-01-04 00:37:47   ping_send_timeout = 15
2022-01-04 00:37:47   ping_rec_timeout = 60
2022-01-04 00:37:47   ping_rec_timeout_action = 2
2022-01-04 00:37:47   ping_timer_remote = DISABLED
2022-01-04 00:37:47   remap_sigusr1 = 0
2022-01-04 00:37:47   persist_tun = DISABLED
2022-01-04 00:37:47   persist_local_ip = DISABLED
2022-01-04 00:37:47   persist_remote_ip = DISABLED
2022-01-04 00:37:47   persist_key = DISABLED
2022-01-04 00:37:47   passtos = DISABLED
2022-01-04 00:37:47   resolve_retry_seconds = 1000000000
2022-01-04 00:37:47   resolve_in_advance = DISABLED
2022-01-04 00:37:47   username = '[UNDEF]'
2022-01-04 00:37:47   groupname = '[UNDEF]'
2022-01-04 00:37:47   chroot_dir = '[UNDEF]'
2022-01-04 00:37:47   cd_dir = '[UNDEF]'
2022-01-04 00:37:47   writepid = '[UNDEF]'
2022-01-04 00:37:47   up_script = '[UNDEF]'
2022-01-04 00:37:47   down_script = '[UNDEF]'
2022-01-04 00:37:47   down_pre = DISABLED
2022-01-04 00:37:47   up_restart = DISABLED
2022-01-04 00:37:47   up_delay = DISABLED
2022-01-04 00:37:47   daemon = DISABLED
2022-01-04 00:37:47   log = DISABLED
2022-01-04 00:37:47   suppress_timestamps = DISABLED
2022-01-04 00:37:47   machine_readable_output = ENABLED
2022-01-04 00:37:47   nice = 0
2022-01-04 00:37:47   verbosity = 4
2022-01-04 00:37:47   mute = 0
2022-01-04 00:37:47   gremlin = 0
2022-01-04 00:37:47   status_file = '[UNDEF]'
2022-01-04 00:37:47   status_file_version = 1
2022-01-04 00:37:47   status_file_update_freq = 60
2022-01-04 00:37:47   occ = ENABLED
2022-01-04 00:37:47   rcvbuf = 0
2022-01-04 00:37:47   sndbuf = 0
2022-01-04 00:37:47   sockflags = 0
2022-01-04 00:37:47   fast_io = DISABLED
2022-01-04 00:37:47   comp.alg = 0
2022-01-04 00:37:47   comp.flags = 24
2022-01-04 00:37:47   route_script = '[UNDEF]'
2022-01-04 00:37:47   route_default_gateway = '[UNDEF]'
2022-01-04 00:37:47   route_default_metric = 0
2022-01-04 00:37:47   route_noexec = DISABLED
2022-01-04 00:37:47   route_delay = 0
2022-01-04 00:37:47   route_delay_window = 30
2022-01-04 00:37:47   route_delay_defined = DISABLED
2022-01-04 00:37:47   route_nopull = DISABLED
2022-01-04 00:37:47   route_gateway_via_dhcp = DISABLED
2022-01-04 00:37:47   allow_pull_fqdn = DISABLED
2022-01-04 00:37:47   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-01-04 00:37:47   management_port = 'unix'
2022-01-04 00:37:47   management_user_pass = '[UNDEF]'
2022-01-04 00:37:47   management_log_history_cache = 250
2022-01-04 00:37:47   management_echo_buffer_size = 100
2022-01-04 00:37:47   management_write_peer_info_file = '[UNDEF]'
2022-01-04 00:37:47   management_client_user = '[UNDEF]'
2022-01-04 00:37:47   management_client_group = '[UNDEF]'
2022-01-04 00:37:47   management_flags = 16678
2022-01-04 00:37:47   shared_secret_file = '[UNDEF]'
2022-01-04 00:37:47   key_direction = not set
2022-01-04 00:37:47   ciphername = 'BF-CBC'
2022-01-04 00:37:47   ncp_ciphers = 'CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC'
2022-01-04 00:37:47   authname = 'SHA512'
2022-01-04 00:37:47   engine = DISABLED
2022-01-04 00:37:47   replay = ENABLED
2022-01-04 00:37:47   mute_replay_warnings = DISABLED
2022-01-04 00:37:47   replay_window = 64
2022-01-04 00:37:47   replay_time = 15
2022-01-04 00:37:47   packet_id_file = '[UNDEF]'
2022-01-04 00:37:47   test_crypto = DISABLED
2022-01-04 00:37:47   tls_server = DISABLED
2022-01-04 00:37:47   tls_client = ENABLED
2022-01-04 00:37:47   ca_file = '[INLINE]'
2022-01-04 00:37:47   ca_path = '[UNDEF]'
2022-01-04 00:37:47   dh_file = '[UNDEF]'
2022-01-04 00:37:47   cert_file = '[INLINE]'
2022-01-04 00:37:47   extra_certs_file = '[UNDEF]'
2022-01-04 00:37:47   priv_key_file = '[INLINE]'
2022-01-04 00:37:47   pkcs12_file = '[UNDEF]'
2022-01-04 00:37:47   cipher_list = '[UNDEF]'
2022-01-04 00:37:47   cipher_list_tls13 = '[UNDEF]'
2022-01-04 00:37:47   tls_cert_profile = 'legacy'
2022-01-04 00:37:47   tls_verify = '[UNDEF]'
2022-01-04 00:37:47   tls_export_cert = '[UNDEF]'
2022-01-04 00:37:47   verify_x509_type = 0
2022-01-04 00:37:47   verify_x509_name = '[UNDEF]'
2022-01-04 00:37:47   crl_file = '[UNDEF]'
2022-01-04 00:37:47   ns_cert_type = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 65535
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_ku[i] = 0
2022-01-04 00:37:47   remote_cert_eku = 'TLS Web Server Authentication'
2022-01-04 00:37:47   ssl_flags = 192
2022-01-04 00:37:47   tls_timeout = 2
2022-01-04 00:37:47   renegotiate_bytes = -1
2022-01-04 00:37:47   renegotiate_packets = 0
2022-01-04 00:37:47   renegotiate_seconds = 3600
2022-01-04 00:37:47   handshake_window = 60
2022-01-04 00:37:47   transition_window = 3600
2022-01-04 00:37:47   single_session = DISABLED
2022-01-04 00:37:47   push_peer_info = DISABLED
2022-01-04 00:37:47   tls_exit = DISABLED
2022-01-04 00:37:47   tls_crypt_v2_metadata = '[UNDEF]'
2022-01-04 00:37:47   server_network = 0.0.0.0
2022-01-04 00:37:47   server_netmask = 0.0.0.0
2022-01-04 00:37:47   server_network_ipv6 = ::
2022-01-04 00:37:47   server_netbits_ipv6 = 0
2022-01-04 00:37:47   server_bridge_ip = 0.0.0.0
2022-01-04 00:37:47   server_bridge_netmask = 0.0.0.0
2022-01-04 00:37:47   server_bridge_pool_start = 0.0.0.0
2022-01-04 00:37:47   server_bridge_pool_end = 0.0.0.0
2022-01-04 00:37:47   ifconfig_pool_defined = DISABLED
2022-01-04 00:37:47   ifconfig_pool_start = 0.0.0.0
2022-01-04 00:37:47   ifconfig_pool_end = 0.0.0.0
2022-01-04 00:37:47   ifconfig_pool_netmask = 0.0.0.0
2022-01-04 00:37:47   ifconfig_pool_persist_filename = '[UNDEF]'
2022-01-04 00:37:47   ifconfig_pool_persist_refresh_freq = 600
2022-01-04 00:37:47   ifconfig_ipv6_pool_defined = DISABLED
2022-01-04 00:37:47   ifconfig_ipv6_pool_base = ::
2022-01-04 00:37:47   ifconfig_ipv6_pool_netbits = 0
2022-01-04 00:37:47   n_bcast_buf = 256
2022-01-04 00:37:47   tcp_queue_limit = 64
2022-01-04 00:37:47   real_hash_size = 256
2022-01-04 00:37:47   virtual_hash_size = 256
2022-01-04 00:37:47   client_connect_script = '[UNDEF]'
2022-01-04 00:37:47   learn_address_script = '[UNDEF]'
2022-01-04 00:37:47   client_disconnect_script = '[UNDEF]'
2022-01-04 00:37:47   client_config_dir = '[UNDEF]'
2022-01-04 00:37:47   ccd_exclusive = DISABLED
2022-01-04 00:37:47   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-01-04 00:37:47   push_ifconfig_defined = DISABLED
2022-01-04 00:37:47   push_ifconfig_local = 0.0.0.0
2022-01-04 00:37:47   push_ifconfig_remote_netmask = 0.0.0.0
2022-01-04 00:37:47   push_ifconfig_ipv6_defined = DISABLED
2022-01-04 00:37:47   push_ifconfig_ipv6_local = ::/0
2022-01-04 00:37:47   push_ifconfig_ipv6_remote = ::
2022-01-04 00:37:47   enable_c2c = DISABLED
2022-01-04 00:37:47   duplicate_cn = DISABLED
2022-01-04 00:37:47   cf_max = 0
2022-01-04 00:37:47   cf_per = 0
2022-01-04 00:37:47   max_clients = 1024
2022-01-04 00:37:47   max_routes_per_client = 256
2022-01-04 00:37:47   auth_user_pass_verify_script = '[UNDEF]'
2022-01-04 00:37:47   auth_user_pass_verify_script_via_file = DISABLED
2022-01-04 00:37:47   auth_token_generate = DISABLED
2022-01-04 00:37:47   auth_token_lifetime = 0
2022-01-04 00:37:47   auth_token_secret_file = '[UNDEF]'
2022-01-04 00:37:47   port_share_host = '[UNDEF]'
2022-01-04 00:37:47   port_share_port = '[UNDEF]'
2022-01-04 00:37:47   vlan_tagging = DISABLED
2022-01-04 00:37:47   vlan_accept = all
2022-01-04 00:37:47   vlan_pvid = 1
2022-01-04 00:37:47   client = ENABLED
2022-01-04 00:37:47   pull = ENABLED
2022-01-04 00:37:47   auth_user_pass_file = 'stdin'
2022-01-04 00:37:47 OpenVPN 2.6-icsopenvpn [git:v2.6-master-401-gcc435973] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 20 2021
2022-01-04 00:37:47 library versions: OpenSSL 3.0.1 14 Dec 2021, LZO 2.10
2022-01-04 00:37:47 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-01-04 00:37:47 MANAGEMENT: CMD 'version 3'
2022-01-04 00:37:47 MANAGEMENT: CMD 'hold release'
2022-01-04 00:37:47 MANAGEMENT: CMD 'bytecount 2'
2022-01-04 00:37:47 MANAGEMENT: CMD 'state on'
2022-01-04 00:37:47 MANAGEMENT: CMD 'username 'Auth' vpnuser'
2022-01-04 00:37:47 MANAGEMENT: CMD 'password [...]'
2022-01-04 00:37:47 MANAGEMENT: CMD 'proxy NONE'
2022-01-04 00:37:48 OpenSSL: error:0A00018E:SSL routines::ca md too weak
2022-01-04 00:37:48 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
2022-01-04 00:37:48 OpenSSL reported a certificate with a weak hash, please see the in app FAQ about weak hashes.
2022-01-04 00:37:48 MANAGEMENT: Client disconnected
2022-01-04 00:37:48 Cannot load inline certificate file
2022-01-04 00:37:48 Exiting due to fatal error
2022-01-04 00:37:48 Process exited with exit value 1

****** Log from 0.7.29 (aka working version) ******

2022-01-04 00:22:05 F-Droid built and signed version 0.7.29 running on vivo vivo 1819 (k71v1_64_bsp), Android 11 (RP1A.200720.012) API 30, ABI arm64-v8a, (vivo/1819N/1819N:11/RP1A.200720.012/compiler0623214610:user/release-keys)
2022-01-04 00:22:05 Building configuration…
2022-01-04 00:22:05 started Socket Thread
2022-01-04 00:22:05 Network Status: CONNECTED LTE to MOBILE xxxxx
2022-01-04 00:22:05 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-01-04 00:22:05 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-01-04 00:22:05 P:WARNING: linker: Warning: "/data/app/~~Cabklro6cExAJ4ccBEwH3Q==/de.blinkt.openvpn-HsftgqY-ag1SlMmhdApyhA==/lib/arm64/libovpnexec.so" is not a directory (ignoring)
2022-01-04 00:22:05 Note: --cipher is not set. OpenVPN versions before 2.6 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback 'BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2022-01-04 00:22:05 Current Parameter Settings:
2022-01-04 00:22:05   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2022-01-04 00:22:05   mode = 0
2022-01-04 00:22:05   show_ciphers = DISABLED
2022-01-04 00:22:05   show_digests = DISABLED
2022-01-04 00:22:05   show_engines = DISABLED
2022-01-04 00:22:05   genkey = DISABLED
2022-01-04 00:22:05   genkey_filename = '[UNDEF]'
2022-01-04 00:22:05   key_pass_file = '[UNDEF]'
2022-01-04 00:22:05   show_tls_ciphers = DISABLED
2022-01-04 00:22:05   connect_retry_max = 0
2022-01-04 00:22:05 Connection profiles [0]:
2022-01-04 00:22:05   proto = udp
2022-01-04 00:22:05   local = '[UNDEF]'
2022-01-04 00:22:05   local_port = '[UNDEF]'
2022-01-04 00:22:05   remote = 'xxx.xxx.xxx.xxx'
2022-01-04 00:22:05   remote_port = 'yyyyy'
2022-01-04 00:22:05   remote_float = ENABLED
2022-01-04 00:22:05   bind_defined = DISABLED
2022-01-04 00:22:05   bind_local = DISABLED
2022-01-04 00:22:05   bind_ipv6_only = DISABLED
2022-01-04 00:22:05   connect_retry_seconds = 2
2022-01-04 00:22:05   connect_timeout = 120
2022-01-04 00:22:05   socks_proxy_server = '[UNDEF]'
2022-01-04 00:22:05   socks_proxy_port = '[UNDEF]'
2022-01-04 00:22:05   tun_mtu = 1500
2022-01-04 00:22:05   tun_mtu_defined = ENABLED
2022-01-04 00:22:05   link_mtu = 1500
2022-01-04 00:22:05   link_mtu_defined = DISABLED
2022-01-04 00:22:05   tun_mtu_extra = 0
2022-01-04 00:22:05   tun_mtu_extra_defined = DISABLED
2022-01-04 00:22:05   mtu_discover_type = -1
2022-01-04 00:22:05   fragment = 0
2022-01-04 00:22:05   mssfix = 1450
2022-01-04 00:22:05   explicit_exit_notification = 0
2022-01-04 00:22:05   tls_auth_file = '[UNDEF]'
2022-01-04 00:22:05   key_direction = not set
2022-01-04 00:22:05   tls_crypt_file = '[INLINE]'
2022-01-04 00:22:05   tls_crypt_v2_file = '[UNDEF]'
2022-01-04 00:22:05 Connection profiles END
2022-01-04 00:22:05   remote_random = DISABLED
2022-01-04 00:22:05   ipchange = '[UNDEF]'
2022-01-04 00:22:05   dev = 'tun'
2022-01-04 00:22:05   dev_type = '[UNDEF]'
2022-01-04 00:22:05   dev_node = '[UNDEF]'
2022-01-04 00:22:05   lladdr = '[UNDEF]'
2022-01-04 00:22:05   topology = 1
2022-01-04 00:22:05   ifconfig_local = '[UNDEF]'
2022-01-04 00:22:05   ifconfig_remote_netmask = '[UNDEF]'
2022-01-04 00:22:05   ifconfig_noexec = DISABLED
2022-01-04 00:22:05   ifconfig_nowarn = ENABLED
2022-01-04 00:22:05   ifconfig_ipv6_local = '[UNDEF]'
2022-01-04 00:22:05   ifconfig_ipv6_netbits = 0
2022-01-04 00:22:05   ifconfig_ipv6_remote = '[UNDEF]'
2022-01-04 00:22:05   shaper = 0
2022-01-04 00:22:05   mtu_test = 0
2022-01-04 00:22:05   mlock = DISABLED
2022-01-04 00:22:05   keepalive_ping = 15
2022-01-04 00:22:05   keepalive_timeout = 60
2022-01-04 00:22:05   inactivity_timeout = 0
2022-01-04 00:22:05   ping_send_timeout = 15
2022-01-04 00:22:05   ping_rec_timeout = 60
2022-01-04 00:22:05   ping_rec_timeout_action = 2
2022-01-04 00:22:05   ping_timer_remote = DISABLED
2022-01-04 00:22:05   remap_sigusr1 = 0
2022-01-04 00:22:05   persist_tun = DISABLED
2022-01-04 00:22:05   persist_local_ip = DISABLED
2022-01-04 00:22:05   persist_remote_ip = DISABLED
2022-01-04 00:22:05   persist_key = DISABLED
2022-01-04 00:22:05   passtos = DISABLED
2022-01-04 00:22:05   resolve_retry_seconds = 1000000000
2022-01-04 00:22:05   resolve_in_advance = DISABLED
2022-01-04 00:22:05   username = '[UNDEF]'
2022-01-04 00:22:05   groupname = '[UNDEF]'
2022-01-04 00:22:05   chroot_dir = '[UNDEF]'
2022-01-04 00:22:05   cd_dir = '[UNDEF]'
2022-01-04 00:22:05   writepid = '[UNDEF]'
2022-01-04 00:22:05   up_script = '[UNDEF]'
2022-01-04 00:22:05   down_script = '[UNDEF]'
2022-01-04 00:22:05   down_pre = DISABLED
2022-01-04 00:22:05   up_restart = DISABLED
2022-01-04 00:22:05   up_delay = DISABLED
2022-01-04 00:22:05   daemon = DISABLED
2022-01-04 00:22:05   log = DISABLED
2022-01-04 00:22:05   suppress_timestamps = DISABLED
2022-01-04 00:22:05   machine_readable_output = ENABLED
2022-01-04 00:22:05   nice = 0
2022-01-04 00:22:05   verbosity = 4
2022-01-04 00:22:05   mute = 0
2022-01-04 00:22:05   gremlin = 0
2022-01-04 00:22:05   status_file = '[UNDEF]'
2022-01-04 00:22:05   status_file_version = 1
2022-01-04 00:22:05   status_file_update_freq = 60
2022-01-04 00:22:05   occ = ENABLED
2022-01-04 00:22:05   rcvbuf = 0
2022-01-04 00:22:05   sndbuf = 0
2022-01-04 00:22:05   sockflags = 0
2022-01-04 00:22:05   fast_io = DISABLED
2022-01-04 00:22:05   comp.alg = 0
2022-01-04 00:22:05   comp.flags = 24
2022-01-04 00:22:05   route_script = '[UNDEF]'
2022-01-04 00:22:05   route_default_gateway = '[UNDEF]'
2022-01-04 00:22:05   route_default_metric = 0
2022-01-04 00:22:05   route_noexec = DISABLED
2022-01-04 00:22:05   route_delay = 0
2022-01-04 00:22:05   route_delay_window = 30
2022-01-04 00:22:05   route_delay_defined = DISABLED
2022-01-04 00:22:05   route_nopull = DISABLED
2022-01-04 00:22:05   route_gateway_via_dhcp = DISABLED
2022-01-04 00:22:05   allow_pull_fqdn = DISABLED
2022-01-04 00:22:05   management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2022-01-04 00:22:05   management_port = 'unix'
2022-01-04 00:22:05   management_user_pass = '[UNDEF]'
2022-01-04 00:22:05   management_log_history_cache = 250
2022-01-04 00:22:05   management_echo_buffer_size = 100
2022-01-04 00:22:05   management_write_peer_info_file = '[UNDEF]'
2022-01-04 00:22:05   management_client_user = '[UNDEF]'
2022-01-04 00:22:05   management_client_group = '[UNDEF]'
2022-01-04 00:22:05   management_flags = 16678
2022-01-04 00:22:05   shared_secret_file = '[UNDEF]'
2022-01-04 00:22:05   key_direction = not set
2022-01-04 00:22:05   ciphername = 'BF-CBC'
2022-01-04 00:22:05   ncp_ciphers = 'CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC'
2022-01-04 00:22:05   authname = 'SHA512'
2022-01-04 00:22:05   prng_hash = 'SHA1'
2022-01-04 00:22:05   prng_nonce_secret_len = 16
2022-01-04 00:22:05   engine = DISABLED
2022-01-04 00:22:05 Waiting 0s seconds between connection attempt
2022-01-04 00:22:05   replay = ENABLED
2022-01-04 00:22:05   mute_replay_warnings = DISABLED
2022-01-04 00:22:05   replay_window = 64
2022-01-04 00:22:05   replay_time = 15
2022-01-04 00:22:05   packet_id_file = '[UNDEF]'
2022-01-04 00:22:05   test_crypto = DISABLED
2022-01-04 00:22:05   tls_server = DISABLED
2022-01-04 00:22:05   tls_client = ENABLED
2022-01-04 00:22:05   ca_file = '[INLINE]'
2022-01-04 00:22:05   ca_path = '[UNDEF]'
2022-01-04 00:22:05   dh_file = '[UNDEF]'
2022-01-04 00:22:05   cert_file = '[INLINE]'
2022-01-04 00:22:05   extra_certs_file = '[UNDEF]'
2022-01-04 00:22:05   priv_key_file = '[INLINE]'
2022-01-04 00:22:05   pkcs12_file = '[UNDEF]'
2022-01-04 00:22:05   cipher_list = '[UNDEF]'
2022-01-04 00:22:05   cipher_list_tls13 = '[UNDEF]'
2022-01-04 00:22:05   tls_cert_profile = '[UNDEF]'
2022-01-04 00:22:05   tls_verify = '[UNDEF]'
2022-01-04 00:22:05   tls_export_cert = '[UNDEF]'
2022-01-04 00:22:05   verify_x509_type = 0
2022-01-04 00:22:05   verify_x509_name = '[UNDEF]'
2022-01-04 00:22:05   crl_file = '[UNDEF]'
2022-01-04 00:22:05   ns_cert_type = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 65535
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_ku[i] = 0
2022-01-04 00:22:05   remote_cert_eku = 'TLS Web Server Authentication'
2022-01-04 00:22:05   ssl_flags = 192
2022-01-04 00:22:05   tls_timeout = 2
2022-01-04 00:22:05   renegotiate_bytes = -1
2022-01-04 00:22:05   renegotiate_packets = 0
2022-01-04 00:22:05   renegotiate_seconds = 3600
2022-01-04 00:22:05   handshake_window = 60
2022-01-04 00:22:05   transition_window = 3600
2022-01-04 00:22:05   single_session = DISABLED
2022-01-04 00:22:05   push_peer_info = DISABLED
2022-01-04 00:22:05   tls_exit = DISABLED
2022-01-04 00:22:05   tls_crypt_v2_metadata = '[UNDEF]'
2022-01-04 00:22:05   server_network = 0.0.0.0
2022-01-04 00:22:05   server_netmask = 0.0.0.0
2022-01-04 00:22:05   server_network_ipv6 = ::
2022-01-04 00:22:05   server_netbits_ipv6 = 0
2022-01-04 00:22:05   server_bridge_ip = 0.0.0.0
2022-01-04 00:22:05   server_bridge_netmask = 0.0.0.0
2022-01-04 00:22:05   server_bridge_pool_start = 0.0.0.0
2022-01-04 00:22:05   server_bridge_pool_end = 0.0.0.0
2022-01-04 00:22:05   ifconfig_pool_defined = DISABLED
2022-01-04 00:22:05   ifconfig_pool_start = 0.0.0.0
2022-01-04 00:22:05   ifconfig_pool_end = 0.0.0.0
2022-01-04 00:22:05   ifconfig_pool_netmask = 0.0.0.0
2022-01-04 00:22:05   ifconfig_pool_persist_filename = '[UNDEF]'
2022-01-04 00:22:05   ifconfig_pool_persist_refresh_freq = 600
2022-01-04 00:22:05   ifconfig_ipv6_pool_defined = DISABLED
2022-01-04 00:22:05   ifconfig_ipv6_pool_base = ::
2022-01-04 00:22:05   ifconfig_ipv6_pool_netbits = 0
2022-01-04 00:22:05   n_bcast_buf = 256
2022-01-04 00:22:05   tcp_queue_limit = 64
2022-01-04 00:22:05   real_hash_size = 256
2022-01-04 00:22:05   virtual_hash_size = 256
2022-01-04 00:22:05   client_connect_script = '[UNDEF]'
2022-01-04 00:22:05   learn_address_script = '[UNDEF]'
2022-01-04 00:22:05   client_disconnect_script = '[UNDEF]'
2022-01-04 00:22:05   client_config_dir = '[UNDEF]'
2022-01-04 00:22:05   ccd_exclusive = DISABLED
2022-01-04 00:22:05   tmp_dir = '/data/data/de.blinkt.openvpn/cache'
2022-01-04 00:22:05   push_ifconfig_defined = DISABLED
2022-01-04 00:22:05   push_ifconfig_local = 0.0.0.0
2022-01-04 00:22:05   push_ifconfig_remote_netmask = 0.0.0.0
2022-01-04 00:22:05   push_ifconfig_ipv6_defined = DISABLED
2022-01-04 00:22:05   push_ifconfig_ipv6_local = ::/0
2022-01-04 00:22:05   push_ifconfig_ipv6_remote = ::
2022-01-04 00:22:05   enable_c2c = DISABLED
2022-01-04 00:22:05   duplicate_cn = DISABLED
2022-01-04 00:22:05   cf_max = 0
2022-01-04 00:22:05   cf_per = 0
2022-01-04 00:22:05   max_clients = 1024
2022-01-04 00:22:05   max_routes_per_client = 256
2022-01-04 00:22:05   auth_user_pass_verify_script = '[UNDEF]'
2022-01-04 00:22:05   auth_user_pass_verify_script_via_file = DISABLED
2022-01-04 00:22:05   auth_token_generate = DISABLED
2022-01-04 00:22:05   auth_token_lifetime = 0
2022-01-04 00:22:05   auth_token_secret_file = '[UNDEF]'
2022-01-04 00:22:05   port_share_host = '[UNDEF]'
2022-01-04 00:22:05   port_share_port = '[UNDEF]'
2022-01-04 00:22:05   vlan_tagging = DISABLED
2022-01-04 00:22:05   vlan_accept = all
2022-01-04 00:22:05   vlan_pvid = 1
2022-01-04 00:22:05   client = ENABLED
2022-01-04 00:22:05   pull = ENABLED
2022-01-04 00:22:05   auth_user_pass_file = 'stdin'
2022-01-04 00:22:05 OpenVPN 2.5-icsopenvpn [git:icsopenvpn/v0.7.29-0-g65ad05d7] arm64-v8a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct 19 2021
2022-01-04 00:22:05 library versions: OpenSSL 3.0.0 7 sep 2021, LZO 2.10
2022-01-04 00:22:05 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2022-01-04 00:22:05 MANAGEMENT: CMD 'version 3'
2022-01-04 00:22:05 MANAGEMENT: CMD 'hold release'
2022-01-04 00:22:05 MANAGEMENT: CMD 'bytecount 2'
2022-01-04 00:22:05 MANAGEMENT: CMD 'state on'
2022-01-04 00:22:05 MANAGEMENT: CMD 'username 'Auth' vpnuser'
2022-01-04 00:22:05 MANAGEMENT: CMD 'password [...]'
2022-01-04 00:22:05 MANAGEMENT: CMD 'proxy NONE'
2022-01-04 00:22:06 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-04 00:22:06 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-04 00:22:06 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2022-01-04 00:22:06 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2022-01-04 00:22:06 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
2022-01-04 00:22:06 MANAGEMENT: >STATE:1641226926,RESOLVE,,,,,,
2022-01-04 00:22:07 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 AF:14/121 ]
2022-01-04 00:22:07 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,auth SHA512,keysize 128,key-method 2,tls-client'
2022-01-04 00:22:07 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1585,tun-mtu 1500,proto UDPv4,auth SHA512,keysize 128,key-method 2,tls-server'
2022-01-04 00:22:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:yyyyy
2022-01-04 00:22:07 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2022-01-04 00:22:07 UDP link local: (not bound)
2022-01-04 00:22:07 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:yyyyy
2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,WAIT,,,,,,
2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,AUTH,,,,,,
2022-01-04 00:22:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:yyyyy, sid=86f2a7e4 389f2e26
2022-01-04 00:22:07 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC68U, [email protected]
2022-01-04 00:22:07 VERIFY KU OK
2022-01-04 00:22:07 Validating certificate extended key usage
2022-01-04 00:22:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-01-04 00:22:07 VERIFY EKU OK
2022-01-04 00:22:07 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, OU=Home/Office, CN=RT-AC68U, [email protected]
2022-01-04 00:22:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bit RSA, signature: RSA-SHA1
2022-01-04 00:22:07 [RT-AC68U] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:yyyyy
2022-01-04 00:22:07 PUSH: Received control message: 'PUSH_REPLY,route 192.168.123.0 255.255.255.0 vpn_gateway 500,redirect-gateway def1,route-gateway 10.8.0.1,topology subnet,ping 15,ping-restart 60,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher CHACHA20-POLY1305'
2022-01-04 00:22:07 OPTIONS IMPORT: timers and/or timeouts modified
2022-01-04 00:22:07 OPTIONS IMPORT: --ifconfig/up options modified
2022-01-04 00:22:07 OPTIONS IMPORT: route options modified
2022-01-04 00:22:07 OPTIONS IMPORT: route-related options modified
2022-01-04 00:22:07 OPTIONS IMPORT: peer-id set
2022-01-04 00:22:07 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-01-04 00:22:07 OPTIONS IMPORT: data channel crypto options modified
2022-01-04 00:22:07 Data Channel: using negotiated cipher 'CHACHA20-POLY1305'
2022-01-04 00:22:07 Data Channel MTU parms [ L:1537 D:1450 EF:37 EB:406 ET:0 EL:3 AF:14/121 ]
2022-01-04 00:22:07 Outgoing Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-01-04 00:22:07 Incoming Data Channel: Cipher 'CHACHA20-POLY1305' initialized with 256 bit key
2022-01-04 00:22:07 ROUTE_GATEWAY 127.100.103.119 IFACE=android-gw
2022-01-04 00:22:07 do_ifconfig, ipv4=1, ipv6=0
2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,ASSIGN_IP,,10.8.0.2,,,,
2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'IFCONFIG' ok'
2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,ADD_ROUTES,,,,,,
2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'ROUTE' ok'
2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'PERSIST_TUN_ACTION' OPEN_BEFORE_CLOSE'
2022-01-04 00:22:07 Opening tun interface:
2022-01-04 00:22:07 Local IPv4: 10.8.0.2/24 IPv6: (not set) MTU: 1500
2022-01-04 00:22:07 DNS Server: , Domain: null
2022-01-04 00:22:07 Routes: 0.0.0.0/0, 10.8.0.0/24, 192.168.123.0/24 
2022-01-04 00:22:07 Routes excluded:  
2022-01-04 00:22:07 VpnService routes installed: 0.0.0.0/0 
2022-01-04 00:22:07 Disallowed VPN apps: 
2022-01-04 00:22:07 No DNS servers being used. Name resolution may not work. Consider setting custom DNS Servers. Please also note that Android will keep using your proxy settings specified for your mobile/Wi-Fi connection when no DNS servers are set.
2022-01-04 00:22:07 MANAGEMENT: CMD 'needok 'OPENTUN' ok'
2022-01-04 00:22:07 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-01-04 00:22:07 Initialization Sequence Completed
2022-01-04 00:22:07 MANAGEMENT: >STATE:1641226927,CONNECTED,SUCCESS,10.8.0.2,xxx.xxx.xxx.xxx,yyyyy,,
2022-01-04 00:22:08 Debug state info: CONNECTED LTE to MOBILE xxxxx, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED 
2022-01-04 00:22:08 PID_ERR replay-window backtrack occurred [1] [SSL-0] [0_00000000011111] 0:16 0:15 t=1641226928[0] r=[-1,64,15,1,1] sl=[48,16,64,528]

****** openvpn client settings ******
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx yyyyy
resolv-retry infinite
nobind
float
ncp-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-256-CBC
auth SHA512
keepalive 15 60
auth-user-pass
remote-cert-tls server

schwabe · 2022-01-03T17:42:50Z

schwabe
Jan 3, 2022
Maintainer

The log already contains your answer:

2022-01-04 00:37:48 MGMT: Got unrecognized command>FATAL:Cannot load inline certificate file
2022-01-04 00:37:48 OpenSSL reported a certificate with a weak hash, please see the in app FAQ about weak hashes.

This is not the OpenSSL 3.0.0 to 3.0.1 but rather a bug in 0.7.29 that would set tls-profile to insecure if not defined.

And this is not about cipher suites. This is about the signing algorithm of the certificates that you are using. You can see them if do something like openssl x509 -in cert.pem -noout -text

And yes ASUS routers are known to still generate certificates with MD5/SHA1 unfortunately. You have to either get a fix from ASUS or live with the insecure setting.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

0.7.31 openssl issue with cipher suite #1434

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

0.7.31 openssl issue with cipher suite #1434

Uh oh!

Uh oh!

caseyng Jan 3, 2022

General information

Description of the issue

Replies: 1 comment

Uh oh!

Uh oh!

schwabe Jan 3, 2022 Maintainer

caseyng
Jan 3, 2022

schwabe
Jan 3, 2022
Maintainer