Latest release of OpenVpn now considers billion built in CA's which uses SHA1 algorithm too weak and should be updated to SHA2.
The latest release of OpenVpn will now not connect to Billion routers using the built in CA's which isn't optional.
Let me check with our engineers
Try changing the HMAC authentication as shown below
Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
Try changing the HMAC authentication as shown below
Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Try changing the HMAC authentication as shown below
Below three of Authentication : SHA256 , SHA384 , SHA512 are SHA-2
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
The built in CA has been generated with SHA1 algorithm (160 bit). Built in CA should be regenerated with SHA2 algorithm (256 bit) which then can be exported and used with OpenVPN clients.
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
What you’ve posted there is basically the tunnel encryption which is as it should be.
OpenVPN works with a CA at each end of the encrypted tunnel which should now be SHA2.
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).
Engineers have stated the only option is to use the renew CA function, This feature will use stronger SHA2(SHA512) to generate.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).
This will generate a random CA using SHA2
You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
Would assume renew CA with current firmware would present new key with same SHA1 algorithm. Also assume the router isn’t actually generating keys and they are preinstalled to the router. Are you saying that’s not the case with current firmware?
No. Press renew CA with current firmware and it will generate a new CA using SHA2(SHA512).
This will generate a random CA using SHA2
You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
OpenVPN server CA should be distinguished as a server certificate. Renewed CA is not. “extendedKeyUsage = critical, serverAuth”
You are correct. A renewed CA is SHA2 however, renewed CA doesn't have extendedKeyUsage with client/server flags unlike the default SHA1 CA.
OpenVPN server CA should be distinguished as a server certificate. Renewed CA is not. “extendedKeyUsage = critical, serverAuth”
Our engineer are asking how you verified the renewed cert does not have “extendedKeyUsage = critical, serverAuth”, so they can investigate
OpenVPN connection log gives the following warning which has prompted me to import cert and take a closer look. It's not generated with extendedKeyUsage (eku) which is bad... Renewed CA's are currently useless.
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info."
I'm guessing the default CA is pre-installed and the renewed are being generated by firmware?
CA must be generated with “extendedKeyUsage = critical, serverAuth” and as were using the same CA to export to clients, "“extendedKeyUsage = critical, clientAuth”.
Your OpenVPN client export file should contain the line "remote-cert-eku “TLS Web Server Authentication”" or "remote-cert-tls server"