This is for users with certificates generated by the current PHPKI contrib for OpenVPN connections via mobiles.
Over the weekend OpenVPN upgraded their iPhone connect app from 3.1.1 to 3.2.0
As a result my iPhondle users could no longer connect with an error:
There was an error attempting to connect to the selected server
Error message: parser_cert_crl_error ca cert/crl content ended unexpectedly without end marker
The phone was making no attempt to connect.
Android seemed OK.
However, when I upgraded to the Android Beta app and it occurs there immediately after upgrading.
I opened this bug which they then tried to tell me I had spaces in my config file, which is several types of nonsense in one go.
https://community.openvpn.net/openvpn/ticket/1292After some digging around and testing it appears from what I can tell that they have deprecated MD5 based certificates overnight. They had warned that they would do, though why right now I have no idea, apart from wanting to piss off a load of users.
No warnings, no mercy, no chance of regressing for a bit. No patience for lots of remote workers in a pandemic. Nothing. Not even an admission at the time of writing, though I expect they'll come up with some excuse in due course.
I have subsequently tested this on certificates generated by the new version of PHPKI that I have built that uses SHA1 instead of MD5.
The bad news is that you will have remove ALL your old PHPKI setup, install fresh and regenerate ALL of your configs, which in my case means that I also need to generate new certificates for all my router-router VPNs as well. I had got it pencilled in for when I upgraded to v10......
I expect the new Android version will be out shortly which will break any Android handsets.
Sometimes I really wonder about some developers.
4 Replies
1110 Views