RV320 OpenVPN MD5 - Page 2

Weber23 · ‎01-02-2018

If I connect with the latest Android OpenVPN it tells me, the certificates I created with RV320 are MD5 signed. Also it tells me, that MD5 support will end April 2018.

So how else shall I create certificates for OpenVPN? The root cert uses SHA256 but the Ovpn client/server certs are created with MD5.

FTphil · ‎06-07-2018

FYI, support contract required to open case, as per Cisco web page: "To create or manage a case, you must have an active service contract linked to your account. Would you like to add one no"
[https://mycase.cloudapps.cisco.com/error?type=3]

Folgers · ‎01-28-2019

Just wanted to update the thread, I've applied the 1.4.20 firmware to treat these two vulnerabilities, and I'm confirming that new OpenVPN certs created after that update are signed using md5WithRSAEncryption , not the sha256WithRSAEncryption used by the 1.4.2.17ts-6 beta, and honored by newer OpenVPN clients.

I'm able to function since the SHA-signed OpenVPN certs I generated using the 1.4.2.17ts-6 beta are still present, and my OpenVPN clients will connect to the RV using them; I'm just documenting that 1.4.20 firmware does not include the fix from the beta.

tl;dr: If your OpenVPN is functional w/ the 1.4.2.17ts-6 beta, you can apply 1.4.20 without it breaking; you just can't create new certs...

Weber23 · ‎02-04-2019

Thank you for sharing this very helpful information !!

support · ‎03-06-2018

As a work around you can add tls-cipher "DEFAULT:@SECLEVEL=0" to your certificate and it will allow you to connect. Obviously the security element is still and issue but it allows connection.

alippiatt · ‎03-15-2018

The OpenVPN client for Windows works up to version 2.4.4. However, 2.4.5 blocks connection due to this! The iOS app version 1.2.9 currently works, but warns it will no longer work after April 2018.

JonasHK · ‎03-28-2018

Just noticed this on my RV325 as well with latest firmware. What an incredible waste of money if I have to throw away my RV325 come April this year because I can't use the OpenVPN server to access my home network.

Disappointing. I thought we were paying a premium for a quality product.

JonasHK · ‎03-29-2018

@support, thanks. I didn't see your post with the work-around.

On iOS, I only observed the April 2018 warning. On Windows, the OpenVPN client won't connect at all. Google helped me find the same work-around that was suggested above by @support.

I simply added the line...

tls-cipher "DEFAULT:@SECLEVEL=0"

...to the .ovpn client config file and I could connect. I haven't tried to see if this works for iOS client. Hopefully this workaround works after the publicized April deadline.

nicolas.chiret · ‎04-02-2018

I tried to add 'tls-cipher "DEFAULT:@SECLEVEL=0"' on my profile on iOS device and it didn't work.

I hope for an update from Cisco for my RV320. OpenVPN is very usefull for me.

support · ‎04-19-2018

Not too sure how to go about curing IOS problem, on my android I was able to download older version of the app and fixed, your hands ar slightly more tied with IOS appstore though.

alippiatt · ‎04-25-2018

I noticed that Cisco released a firmware update for this, although it is future-dated:

https://software.cisco.com/download/home/284005929/type/282465789/release/1.4.2.19

Details

Description :	Image for Cisco RV320 and RV325 Firmware Release 1.4.2.19
Release :	1.4.2.19
Release Date :	27-Apr-2018
FileName :	RV32X_v1.4.2.19_20180330-code.bin
Size :	34.93 MB ( 36626432 bytes)

The release notes only have one resolved issue, nothing else new:

Number Description
CSCvg85922 The RV32x router’s configuration file was accessible from
the WAN/LAN without authentication.

So, I'm guessing this means no fix for OpenVPN.

guybgr · ‎04-25-2018

This is pretty basic functionality. If this is not fixed, I will not be replacing the unit with another Cisco. I really liked this product, but this is huge hole.

l_s · ‎04-28-2018

This workaround seems to be functional on the Windows client, assuming log messages like the below (prior to other apparently normal SSL negotiation messages) mean that it is still connecting securely.

Sat Apr 28 19:58:47 2018 VERIFY OK: depth=1, CN=70:70:8b:f7:a4:d0, OU=RV325, O=Cisco Systems, Inc., L=Irvine, C=US, ST=Califomia
Sat Apr 28 19:58:47 2018 VERIFY OK: depth=0, C=AU, ST=<STATE>, L=<SUBURB>, O=<ORG>, OU=<UNIT>, CN=router

Sadly, it did not work for the latest Android app client.

wycalero · ‎06-11-2018

Good Morning,

Even do you don't have a contract on the unit you have limited life time warranty on the unit, you are able to call to 1-866-606-1866 and open a new ticket, we have available a beta firmware that solved this problem.

Regards.

FTphil · ‎06-11-2018

Appreciate the info!!

JonasHK · ‎06-16-2018

Is there any ETA for when the firmware will be out of beta and publically available for download? I'm based in Hong Kong and have little interest in calling half way around the world to download a beta. I assume Cisco is aware that most manufacturers share Betas publically nowadays. Not sure what this "call us" company policy is trying to achieve. It's certainly not impressing anyone in 2018.