mirror of
https://github.com/schwabe/ics-openvpn.git
synced 2024-09-20 03:52:27 +02:00
Fix warning with mCipher=nulll and add OpenVPN3 related warning
This commit is contained in:
parent
c47793c19e
commit
cbb4480758
@ -867,8 +867,7 @@ public class VpnProfile implements Serializable, Cloneable {
|
||||
}
|
||||
|
||||
private X509Certificate[] getKeyStoreCertificates(Context context) throws KeyChainException, InterruptedException {
|
||||
PrivateKey privateKey = KeyChain.getPrivateKey(context, mAlias);
|
||||
mPrivateKey = privateKey;
|
||||
mPrivateKey = KeyChain.getPrivateKey(context, mAlias);
|
||||
|
||||
|
||||
X509Certificate[] caChain = KeyChain.getCertificateChain(context, mAlias);
|
||||
@ -1059,6 +1058,22 @@ public class VpnProfile implements Serializable, Cloneable {
|
||||
}
|
||||
}
|
||||
|
||||
String dataciphers = "";
|
||||
if (!TextUtils.isEmpty(dataciphers))
|
||||
dataciphers = mDataCiphers.toUpperCase(Locale.ROOT);
|
||||
|
||||
String cipher = "BF-CBC";
|
||||
if (!TextUtils.isEmpty(mCipher))
|
||||
cipher = mCipher.toUpperCase(Locale.ROOT);
|
||||
|
||||
if (!mUseLegacyProvider &&
|
||||
(dataciphers.contains("BF-CBC")
|
||||
|| ((mCompatMode > 0 && mCompatMode < 20500) || useOpenVPN3)
|
||||
&& cipher.equals("BF-CBC")))
|
||||
{
|
||||
return R.string.bf_cbc_requires_legacy;
|
||||
}
|
||||
|
||||
// Everything okay
|
||||
return R.string.no_error_found;
|
||||
|
||||
|
@ -440,13 +440,10 @@
|
||||
<string name="mbits_per_second">%.1f Mbit/s</string>
|
||||
<string name="gbits_per_second">%.1f Gbit/s</string>
|
||||
<string name="weakmd"><p>Starting with OpenSSL version 1.1, OpenSSL rejects weak signatures in certificates like
|
||||
MD5.</p><p><b>MD5 signatures are completely insecure and should not be used anymore.</b> MD5
|
||||
collisions can be created in <a
|
||||
href="https://natmchugh.blogspot.de/2015/02/create-your-own-md5-collisions.html">few hours at a minimal cost.</a>.
|
||||
You should update the VPN certificates as soon as possible.</p><p>Unfortunately, older easy-rsa
|
||||
distributions included the config option "default_md md5". If you are using an old easy-rsa version, update to
|
||||
the <a href="https://github.com/OpenVPN/easy-rsa/releases">latest version</a>) or change md5 to sha256 and
|
||||
regenerate your certificates.</p><p>If you really want to use old and broken certificates use the custom
|
||||
MD5. Additionally with the OpenSSL 3.0 signatures with SHA1 are also rejected.</p><p>
|
||||
You should update the VPN certificates as soon as possible as SHA1 will also no longer work on other platforms in the
|
||||
near future.</p>
|
||||
<p>If you really want to use old and broken certificates use the custom
|
||||
configuration option tls-cipher "DEFAULT:@SECLEVEL=0" under advanced configuration or as additional line in your
|
||||
imported configuration</p>
|
||||
</string>
|
||||
@ -512,5 +509,6 @@
|
||||
<string name="compatmode">Compatibility Mode</string>
|
||||
<string name="compat_mode_label">Compatibility mode</string>
|
||||
<string name="loadossllegacy">Load OpenSSL legacy provider</string>
|
||||
<string name="bf_cbc_requires_legacy">Profiles uses BF-CBC which depends on OpenSSL legacy provider (not enabled).</string>
|
||||
|
||||
</resources>
|
||||
|
Loading…
Reference in New Issue
Block a user