OpenVPN - Issues With MD5 Certificate and NGFW version 15.1

You may have heard that you can edit client config files or create entries in OpenVPN's advanced options as a workaround for connection issues with the older MD5 certificate. That workaround is never recommended: mainly, because it reduces the overall security of your NGFW (by effectively instructing the NGFW to trust any security certificate it encounters). It's also temporary at best; you must reinstall the OpenVPN app to update the certificate to the newer, SHA-512-encrypted version.

The solution to the MD5 certificate issue is to remove & reinstall the OpenVPN app on the NGFW itself (click that link for instructions and more detail about the issue).

We do not do this automatically because the certificate is part of the client config file. If we were to update the certificate, all existing OpenVPN clients (including site-to-site connections) would be unable to connect to the updated NGFW.

The reason this occurred specifically starting in version 15.1 of NGFW has to do with the new version of Linux used in that version: Debian 10, AKA 'buster'. The buster kernel also will not trust older MD5-encrypted certificates, so an NGFW running version 15.1 will reject OpenVPN connections from clients (including other NGFWs) which have the old MD5 certificate.

Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk