Security Advisory

Planned removal of MD5 support

In beginning of November of 2017, we released a new version of OpenVPN Connect for Android with many security and functionality improvements. Shortly thereafter we received reports from some users that making a connection was no longer possible. The error messages varied from "certificate verification failed" to "TCP EOF" network errors. We've traced this down to certificates being used by older implementations of OpenVPN open source servers that were using MD5 type signature hashes. These signatures are insecure and should not be used anymore.

It is important to note here that OpenVPN Access Server was not affected by this issue. We are talking here about open source implementations of OpenVPN that were using certificates signed with a hashing method called MD5 that has been determined to be broken and which should not be used anymore. Customers of our commercial OpenVPN Access Server offering did not suffer from these problems and do not need to take action. This only really affects people using an open source OpenVPN implementation either set up themselves or part of a third-party embedded product like a router or VPN server product.

We have temporarily added support for MD5 type signature hashes back into the OpenVPN Connect for Android app, which is available on the play store now. If you upgrade to this version then this particular problem should be resolved for you. But the real problem, namely the use of MD5 hash certificates, is not resolved by this. It is strongly encouraged to use secure certificates instead of the flawed MD5 type certificates. It is absolutely not secure to use these older type of certificates and we cannot in good conscience continue to support such a poor level of security in our OpenVPN security product. Therefore support for MD5 will be ending in May of 2018. This gives our users time to migrate to a secure configuration using for example certificates signed with SHA256 type hash or better.

See FAQ item regarding MD5 support on Android app for more technical details on how to detect and resolve this problem.