Announcement

**sky-knight** · 12-05-2018, 04:56 PM

I had a server after upgrade to 14.0.1 early last week, result in working existing VPN clients but new clients would generate failed installations, I think because the installer version of OpenVPN wasn't aligned with the generated certificates. In practice new clients would install, but could never connect due to a TLS handshake error.

The same process you mentioned here fixed it, just reinitialize everything and redistribute the VPN clients.

**dmorris** · 12-05-2018, 05:26 PM

Originally posted by sky-knight View Post

TLS handshake error.

Yes, if you see like that and something about the 'failed to verify' the certificate, that is almost certainly the issue.
Lots of newer clients, and newer versions of the existing clients, are more demanding about what will and will not be accepted.

**johnsonx42** · 12-05-2018, 05:56 PM

Originally posted by sky-knight View Post

I had a server after upgrade to 14.0.1 early last week, result in working existing VPN clients but new clients would generate failed installations, I think because the installer version of OpenVPN wasn't aligned with the generated certificates. In practice new clients would install, but could never connect due to a TLS handshake error.

The same process you mentioned here fixed it, just reinitialize everything and redistribute the VPN clients.

wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?

**jcoffin** · 12-05-2018, 06:02 PM

Originally posted by johnsonx42 View Post

wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?

No, not entirely. It all depends on the client software installed on the remote PC. If the PC software has updated, it might not accept the generated cert. The Windows installer on the UT will work on existing Windows but if you install the latest OpenVPN client on any OS, it will want a higher encryption than was offered on v12 or earlier OpenVPN server certificate generation.

Again, this issue is due to client application updates, not Untangle upgrades.

**sky-knight** · 12-05-2018, 06:14 PM

Originally posted by johnsonx42 View Post

wait, do you mean that on an existing v14 server, where the OpenVPN configuration has been around for awhile (i.e. all of mine), I can't install any new clients without ripping and replacing the whole thing?

In my case the version of OpenVPN shipped by Untangle could no longer use the certificates it was generating. So I either nuked the module and reinitialized it, OR I was going to have to try to guess what old version of OpenVPN to install over the top of what Untangle provided for my new client.

So what I'm seeing is Untangle v14 will ship broken stuff, if you've got old around because it's packing the newer client with old certificates. The already issued stuff was fine, this issue was limited to a new client I tried to create.

This change has been in the wild for a year, we've had plenty of time to migrate, I didn't get all mine done and now I'm paying the price in support. That's on me, I'm hardly critical of Untangle for this.

**dmorris** · 12-05-2018, 08:45 PM

Originally posted by sky-knight View Post

In my case the version of OpenVPN shipped by Untangle could no longer use the certificates it was generating. So I either nuked the module and reinitialized it, OR I was going to have to try to guess what old version of OpenVPN to install over the top of what Untangle provided for my new client.

Just to be clear, the windows installer created by Untangle's OpenVPN app (v2.4.3) still accepts 2048-bit and MD5 certs.

If you are using your own OpenVPN client with the config file produced by Untangle's OpenVPN app, what it accepts entirely depends on what client you are using. Some have minimum requirements on certs, and some actually won't accept certain deprecated arguments (though those are mostly non-official clients in my experience)

**johnsonx42** · 12-05-2018, 09:57 PM

sky's experience seems to contradict dmorris's explanation.

**johnsonx42** · 12-06-2018, 01:15 PM

i dunno... there seem to be several threads here indicating a 14.1 upgrade breaks existing site-to-site connections (involving only untangle, nothing 3rd party). I'm logging in to my sites that depend on site-to-site and disabling upgrades until this picture becomes clear... I can't have the sites suddenly go down.

(followup: at one site the client side had already upgraded 14.1 and all was well; however that site is pretty new, the OpenVPN config was created with 13.x so it may not be affected. at another the site, which is older, probably goes back to 11.x, the server was about to upgrade and I stopped it and the client side as well. Neither of the sites will be a big problem to re-generate the OpenVPN config on both ends if I have to, I just don't want the 6am panic call "everything is down, no one can work!")

**donhwyo** · 12-06-2018, 02:33 PM

I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?

**dmorris** · 12-06-2018, 02:56 PM

Originally posted by donhwyo View Post

I do updates by clean install and importing the backup. I am guessing that brings along the old certs. Does it?

Yes, the certificate for the server is in the backup (it has to be otherwise the clients would refuse to connect to restored servers!)

We switched from MD5 to SHA many years ago so unless your backup is really old you won't have an issue.

People with MD5 are just noticing because they're officially dropping MD5 support in many clients. This includes the official openvpn client for windows (2.4.6) that you would download from the directly from them as well as some others like tunnelblick.

You can check your cert with:
sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"

**donhwyo** · 12-06-2018, 03:26 PM

Thanks they have probably been drug forward from 10.

**dmorris** · 12-06-2018, 03:37 PM

Originally posted by donhwyo View Post

Thanks they have probably been drug forward from 10.

In that case you probably want to regen the cert before too long. Our client (2.4.3) still accepts it, but if you use others they're getting more stringent. Also eventually we'll want to update the one included in Untangle and when we do that even it won't accept MD5 certs.

**donhwyo** · 12-06-2018, 05:44 PM

Done. Thanks

**johnsonx42** · 12-07-2018, 02:39 PM

Originally posted by dmorris View Post

You can check your cert with:
sudo openssl x509 -text -noout -in /usr/share/untangle/settings/openvpn/server.crt | grep "Signature Algo"

At the site I'm at now I get "md5WithRSAEncryption"

So this one is going to be a problem, yes?

Announcement

Notice for long time OpenVPN users

Notice for long time OpenVPN users

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment