cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15818
Views
180
Helpful
76
Replies

RV320 OpenVPN MD5

Weber23
Level 1
Level 1

If I connect with the latest Android OpenVPN it tells me, the certificates I created with RV320 are MD5 signed. Also it tells me, that MD5 support will end April 2018.

So how else shall I create certificates for OpenVPN? The root cert uses SHA256 but the Ovpn client/server certs are created with MD5.

76 Replies 76

Can anybody from Cisco please confirm, that the Version "RV32X_v1.4.2.19_20180330" does *NOT* include the MD5 fix from "RV32X_v1.4.2.17ts-6_20180321"? I.E. is the older version "better" than the newest on the web?

It does not contain the fix. That's why everyone is irate. What you can do is use Easy VPN as per @werner's suggestion (even though its client is officially retired) because it still works with Android's and Windows' built-in VPN functionalities.

Basically, Cisco doesn't give a f^&* about us, even though many of us have obtained these devices new, when both the defect and the fix were known to them. We're just not where they make their money; they get rich from big purchases and expensive support contracts.


@l_s wrote:

It does not contain the fix. That's why everyone is irate. What you can do is use Easy VPN as per @werner's suggestion (even though its client is officially retired) because it still works with Android's and Windows' built-in VPN functionalities.

Basically, Cisco doesn't give a f^&* about us, even though many of us have obtained these devices new, when both the defect and the fix were known to them. We're just not where they make their money; they get rich from big purchases and expensive support contracts.


They probably wait for the feedback of hundreds of beta users before they release something.. I can live with the beta.. its doing the job..

Cisco released firmware update 1.4.2.20 today  (1/23/19). The only documented changed is this resolved issue:

 

CSCvm78058

Cisco Small Business RV320 and RV325 Routers

Command Injection Vulnerability.

 

I've long switched to a pfSense setup for the better. It has far more OpenVPN options and works quite well.

Hey guys

I might have some news for this feed.

Last weekend I was double upgradeing one RV325. (md5 issue, Open VPN client 2.4.5+ bitching/not working)

Former software generated certificates signed only with md5.

I had to open up the TAC case, get the beta, RV32X_v1.4.2.19ts-13_20181226-code.bin

now the nice part was, I didnt need to delete whole config of the router.

I only needed to generate all the certificates regarding open vpn...carefull..also the server certificate is signed

by md5, (although the self signed certificate of the router is signed with sha, dont understand whole situation...)

After regenerating all the certificates and all the open VPN accounts, upgraded my open vpn client to 2.4.6, 

everything works.

Generated couple users for future :-) cause official release still does not support generation of certificates signed by anything else than md5.

and finally I upgraded to official release RV32X_v1.4.2.20_20181224-code.bin.

Works like charm...until next trouble :-)

HTH

Leo

 

 

When I upgrade I'm not able to create new users. I have OpenVPN server and client certs ,so after that I go to OpenVPN Accounts and when I add new user it just refresh to "OpenVPN summary page" and user is missing. I end up with empty users and there is nothing in the logs which points what is the cause.

 

I think it will end up with reseting it. 


Firmware: v1.4.2.20 (2018-12-24)
 

as far as I understood other users, you'll have to prepare everything first with the beta-version, before you upgrade to the latest and greatest..

"(although the self signed certificate of the router is signed with sha, dont understand whole situation...)"..

This is, what I'm also not sure about, what is going on. Are we really sure, we create no leaks?

Hi,

So, if I understand correctly, if I use the RV32X_v1.4.2.19ts-13_20181226-code.bin firmware, I can create sha encrypted certificates and after that I can upgrade to a newer firmware and keep using the cirtificates?

 

Could anyone share this RV32X_v1.4.2.19ts-13_20181226-code.bin firmware?

 

And does anyone know if this is something that is being worked on? It feels kinda stupid to throw away a bunch of relatively new routers because of this weird issue... 

 

Anyone from Cisco?

 

Cheers,

Robert.

Yes, your understanding is correct.

You can create certificates using 12/2018 image and then upgrade to january 2019 image to fix known vulnerabilities

with certificates staying there.

You will not be able to create new certs though, but will have functional and patched config.

Cisco lately gives a ... about its customers as in SMB same way in other segments so I would not bother

to try to get a literate answer from Cisco. We had been waiting for it for quite some time and I am focusing 

on different products already. If they dont bother, why should I.

I can provide the image tomorrow when back home.

Regards

Leo 

Hi Leo,
Thanks for taking the time to respond.
What image do you mean by 12/2018?
The latest (RV32X_v1.4.2.20_20181224-code.bin) says 201812.... but that one doesn’t do sha..
You probably mean another image but I cant find it on the regular download site.

Cheers,
Robert.

Ah, sorry, must have missed that last line, "I can provide the image tomorrow when back home." while reading on my phone.
Looking forward to it!

Thanks Leo!

That works like a charm.

 

Since using sha seems to be possible I wonder what the reason is for not adding it to the last firmware....

Well, let's hope it will be in the next one.

 

Cheers,

Robert.

Hi,
I confirm that this method works !
Thank you very much for sharing.
Kr
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: