OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

OpenVPN Connect for iOS change log

Changes between 1.2.8 and 1.2.9:

  • show MD5 warning pop-up only once per VPN session
  • fix glitch upon key re-negotiation when using tls-crypt
  • fix interoperability issue with private keys created using OpenSSL 1.1 default settings (aka add support for private keys encrypted using PKCS#5v2.0 with PRF newer than SHA1)

Changes between 1.2.7 and 1.2.8:

  • fixed spurious crash on reconnection after sleep
  • restored access to CertificatePayloads (p12 bundles) uploaded via Provisioning Profiles (.mobileconfig files)
  • show warning pop-up when connecting to server using insecure MD5 algorithm to sign certificates (MD5 support will be dropped end of Apr 2018)
  • report unique app specific UUID to server within peer info (variable IV_HWADDR)
  • added support for ECDSA ciphersuites (for EC certificates)
  • fixed VPN status after closing and re-opening App with tunnel activated (VPN IPs, last event, etc.)
  • fixed profiles loading from iCloud with Files app (due to an iOS bug, only 1 file can be loaded at once)
  • improved .ovpn12 file import

Changes between 1.2.6 and 1.2.7:

  • fixed WiFi detection while connected via LTE
  • fixed tunnel reconfiguration after reconnection with seamless tunnel ON
  • added message about new .ovpn12 extension in cert list (when empty)
  • fixed issue with DNS upon reconnection in split tunnel setups
  • fixed tunnel disconnection when closing App from background app list
  • fixed spurious connection crash when connecting using TCP
  • fixed several connection instabilities
  • fixed routing towards VPN IPs other than the VPN server
  • fixed usage of PROXY_AUTO_CONFIG_URL and PROXY_BYPASS setting
  • fixed DNS settings when server directive comes as last one

Changes between 1.2.5 and 1.2.6

  • fixed reconnection with external certificate or password when device is still locked
  • fixed blank-screen issue on iPods
  • fixed reconnection after sleep or connectivity loss
  • fixed seamless tunnel handling
  • fixed tls-auth setup. missing key-direction in new profiles is again interpreted as “bidirectional” mode
  • fixed DNS server assignment on split tunnel configurations
  • fixed IPv6 DNS server assignment on split tunnel configurations
  • fixed search domain assignment on split tunnel configurations
  • fixed profile renaming
  • fixed PROXY settings assignment
  • fixed permanent disconnection due to TRANSPORT_ERROR when uplink is unavailable

Changes between 1.1.1 and 1.2.5

  • converted VPN backend to new Apple Network Extensions framework
  • implemented private keychain for storing certificates and passwords. PKCS#12 bundles imported via Safari or Mail must now end with ‘.ovpn12’
  • implemented support for “tls-crypt” config option. If the OpenVPN server you are connecting to has enabled this option, it will provider a safer method to exchange certificates during the initial TLS handshake
  • improved log verbosity
  • added preference switch to disable MD5 in TLS
  • updated mbedTLS to 2.6.0 (MD5 support will be dropped on Apr, 31st 2018)
  • updated ovpn3 backend

Share