mirror/openvpn-android
0
0
Fork 0
mirror of https://github.com/schwabe/ics-openvpn.git synced 2024-09-19 19:42:29 +02:00
Code

Fix warning with mCipher=nulll and add OpenVPN3 related warning

Browse Source
This commit is contained in:
Arne Schwabe 2021-10-13 01:40:35 +02:00
parent c47793c19e
commit cbb4480758
2 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
main/src/main/java/de/blinkt/openvpn/VpnProfile.java
View File

@ -867,8 +867,7 @@ public class VpnProfile implements Serializable, Cloneable {
}
private X509Certificate[] getKeyStoreCertificates(Context context) throws KeyChainException, InterruptedException {
PrivateKey privateKey = KeyChain.getPrivateKey(context, mAlias);
mPrivateKey = privateKey;
mPrivateKey = KeyChain.getPrivateKey(context, mAlias);
X509Certificate[] caChain = KeyChain.getCertificateChain(context, mAlias);
@ -1059,6 +1058,22 @@ public class VpnProfile implements Serializable, Cloneable {
}
}
String dataciphers = "";
if (!TextUtils.isEmpty(dataciphers))
dataciphers = mDataCiphers.toUpperCase(Locale.ROOT);
String cipher = "BF-CBC";
if (!TextUtils.isEmpty(mCipher))
cipher = mCipher.toUpperCase(Locale.ROOT);
if (!mUseLegacyProvider &&
(dataciphers.contains("BF-CBC")
|| ((mCompatMode > 0 && mCompatMode < 20500) || useOpenVPN3)
&& cipher.equals("BF-CBC")))
{
return R.string.bf_cbc_requires_legacy;
}
// Everything okay
return R.string.no_error_found;

12
main/src/main/res/values/strings.xml
View File

@ -440,13 +440,10 @@
<string name="mbits_per_second">%.1f Mbit/s</string>
<string name="gbits_per_second">%.1f Gbit/s</string>
<string name="weakmd">&lt;p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like
MD5.&lt;/p>&lt;p>&lt;b>MD5 signatures are completely insecure and should not be used anymore.&lt;/b> MD5
collisions can be created in &lt;a
href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.&lt;/a>.
You should update the VPN certificates as soon as possible.&lt;/p>&lt;p>Unfortunately, older easy-rsa
distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to
the &lt;a href="https://github.com/OpenVPN/easy-rsa/releases">latest version&lt;/a>) or change md5 to sha256 and
regenerate your certificates.&lt;/p>&lt;p>If you really want to use old and broken certificates use the custom
MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.&lt;/p>&lt;p>
You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
near future.&lt;/p>
&lt;p>If you really want to use old and broken certificates use the custom
configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
imported configuration&lt;/p>
</string>
@ -512,5 +509,6 @@
<string name="compatmode">Compatibility Mode</string>
<string name="compat_mode_label">Compatibility mode</string>
<string name="loadossllegacy">Load OpenSSL legacy provider</string>
<string name="bf_cbc_requires_legacy">Profiles uses BF-CBC which depends on OpenSSL legacy provider (not enabled).</string>
</resources>