View Issue Details

IDProjectCategoryView StatusLast Update
0007768Kali LinuxGeneral Bugpublic2022-06-29 15:01
Reporteruser6331Assigned Todaniruiz  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2022.2 
Summary0007768: Openssl and Openvpn upgrade
Description

Hi,

Since openssl has been upgraded to a major version 3.0.3, all my VPN profiles are not working anymore.

I get this error each time: "OpenSSL: error:0A00018E:SSL routines::ca md too weak"

Same thing happens when I connect to a VPN profile from Network Manager, it fails immediately

Any idea ?

Activities

marwin666

marwin666

2022-06-24 14:43

reporter   ~0016314

I confirm this problem, plus a problem with Remina.

user6331

2022-06-24 14:51

  ~0016315

I found a way to bypass the security level defind by tls, but it's also a security flaw
"openvpn --config htb.ovpn --tls-cipher DEFAULT:@SECLEVEL=0"
Or you can add "tls-cipher DEFAULT:@SECLEVEL=0" to your ovpn config file

That does not resolve the network-manager-openvpn connection, since it doesn't support this option yet in the graphical configuration dialog

marwin666

marwin666

2022-06-24 15:06

reporter   ~0016316

My problem with the connection did not solve this option.

user6331

2022-06-24 15:08

  ~0016317

what is the error exactly ?

daniruiz

daniruiz

2022-06-24 17:08

manager   ~0016318

In my case changing the option cipher with data-ciphers in the .ovpn file fixed it, but I don't know if that is related to your issue @j_jito as I don't get the same error message.

I get:
DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.

https://forums.openvpn.net/viewtopic.php?p=107147#p107165

Seems like cipher was a deprecated option before, and the warning was already there (just checked with a previous kali) and now is definitively incompatible

user6331

2022-06-24 17:21

  ~0016319

@daniruiz I also got the data-ciphers issue, which I fixed by adding data-ciphers inside the ovpn file

But the "OpenSSL: error:0A00018E:SSL routines::ca md too weak" issue is more common to weak ssl ciphers when generating the private key
https://forums.openvpn.net/viewtopic.php?t=23979 I have this error with many vpn providers, like proton, nord, ipvanish, PIA, etc... even HackTheBox and TryHackMe ovpn files.

You can try openvpn --config htb.vpn I've already added the data-ciphers option inside the ovpn btw

You can bypass the error by adding --tls-cipher DEFAULT:@SECLEVEL=0

user6331

2022-06-24 17:26

  ~0016320

Here is the htb.ovpn file
wget -O htb.ovpn http://oshi.at/gxrF

user6331

2022-06-24 17:29

  ~0016321

Sorry, the link is broken, but if you have a HackTheBox account, you can download the htb1337.ovpn

daniruiz

daniruiz

2022-06-24 17:30

manager   ~0016322

In my case, the htb openvpn file already had the option tls-cipher "DEFAULT:@SECLEVEL=0" included

user6331

2022-06-24 17:32

  ~0016323

Can you try to import htb.ovpn into Network-Manager and try to connect from there ?

daniruiz

daniruiz

2022-06-24 18:10

manager   ~0016324

We recommend using the openvpn command as the network manager option for vpn in gnome and xfce never really worked for us
Here's the bug report from ubuntu https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1847144

user6331

2022-06-24 18:14

  ~0016325

Thanks for the info, I didn't know

It worked well until openssl and openvpn upgrade, but I'll use the openvpn command from now on

boomshankerx

boomshankerx

2022-06-25 21:11

reporter   ~0016326

Is there a reason kali decided to upgrade to openvpn 2.6 before it entered stable support? Was this a mistake?
https://community.openvpn.net/openvpn/wiki/SupportedVersions

openvpn/kali-rolling,now 2.6.0~git20220518+dco-2 amd64

boomshankerx

boomshankerx

2022-06-25 21:30

reporter   ~0016327

Turns out debian testing integrated openvpn 2.6 so we are along for the ride.

https://tracker.debian.org/pkg/openvpn

daniruiz

daniruiz

2022-06-29 14:53

manager   ~0016339

I'm closing this as it's not a bug but a change from openvpn.
The package openvpn 2.6 comes directly from Debian testing

Issue History

Date Modified Username Field Change
2022-06-23 13:27 user6331 New Issue
2022-06-24 14:43 marwin666 Note Added: 0016314
2022-06-24 14:51 user6331 Note Added: 0016315
2022-06-24 15:06 marwin666 Note Added: 0016316
2022-06-24 15:08 user6331 Note Added: 0016317
2022-06-24 17:08 daniruiz Note Added: 0016318
2022-06-24 17:21 user6331 Note Added: 0016319
2022-06-24 17:26 user6331 Note Added: 0016320
2022-06-24 17:29 user6331 Note Added: 0016321
2022-06-24 17:30 daniruiz Note Added: 0016322
2022-06-24 17:32 user6331 Note Added: 0016323
2022-06-24 18:10 daniruiz Note Added: 0016324
2022-06-24 18:14 user6331 Note Added: 0016325
2022-06-25 21:11 boomshankerx Note Added: 0016326
2022-06-25 21:30 boomshankerx Note Added: 0016327
2022-06-29 14:53 daniruiz Note Added: 0016339
2022-06-29 15:01 daniruiz Assigned To => daniruiz
2022-06-29 15:01 daniruiz Status new => resolved
2022-06-29 15:01 daniruiz Resolution open => fixed