Just wanted to update the thread, I've applied the 1.4.20 firmware to treat these two vulnerabilities, and I'm confirming that new OpenVPN certs created after that update are signed using md5WithRSAEncryption , not the sha256WithRSAEncryption used by the 1.4.2.17ts-6 beta, and honored by newer OpenVPN clients.

I'm able to function since the SHA-signed OpenVPN certs I generated using the 1.4.2.17ts-6 beta are still present, and my OpenVPN clients will connect to the RV using them; I'm just documenting that 1.4.20 firmware does not include the fix from the beta.

tl;dr: If your OpenVPN is functional w/ the 1.4.2.17ts-6 beta, you can apply 1.4.20 without it breaking; you just can't create new certs...

Thank you for sharing this very helpful information !!

@support, thanks.  I didn't see your post with the work-around.

On iOS, I only observed the April 2018 warning.  On Windows, the OpenVPN client won't connect at all.  Google helped me find the same work-around that was suggested above by @support.

I simply added the line...

tls-cipher "DEFAULT:@SECLEVEL=0"

...to the .ovpn client config file and I could connect.  I haven't tried to see if this works for iOS client.  Hopefully this workaround works after the publicized April deadline.

I tried to add 'tls-cipher "DEFAULT:@SECLEVEL=0"' on my profile on iOS device and it didn't work.

I hope for an update from Cisco for my RV320. OpenVPN is very usefull for me.

Not too sure how to go about curing IOS problem, on my android I was able to download older version of the app and fixed, your hands ar slightly more tied with IOS appstore though.

I noticed that Cisco released a firmware update for this, although it is future-dated:

https://software.cisco.com/download/home/284005929/type/282465789/release/1.4.2.19

The release notes only have one resolved issue, nothing else new:

Number Description
CSCvg85922 The RV32x router’s configuration file was accessible from
the WAN/LAN without authentication.

So, I'm guessing this means no fix for OpenVPN.

This is pretty basic functionality. If this is not fixed, I will not be replacing the unit with another Cisco. I really liked this product, but this is huge hole.

This workaround seems to be functional on the Windows client, assuming log messages like the below (prior to other apparently normal SSL negotiation messages) mean that it is still connecting securely.

Sat Apr 28 19:58:47 2018 VERIFY OK: depth=1, CN=70:70:8b:f7:a4:d0, OU=RV325, O=Cisco Systems, Inc., L=Irvine, C=US, ST=Califomia
Sat Apr 28 19:58:47 2018 VERIFY OK: depth=0, C=AU, ST=<STATE>, L=<SUBURB>, O=<ORG>, OU=<UNIT>, CN=router

Sadly, it did not work for the latest Android app client.

Appreciate the info!!

Is there any ETA for when the firmware will be out of beta and publically available for download?  I'm based in Hong Kong and have little interest in calling half way around the world to download a beta.  I assume Cisco is aware that most manufacturers share Betas publically nowadays.  Not sure what this "call us" company policy is trying to achieve.  It's certainly not impressing anyone in 2018.