openVPN generated incorrect certs generated, key too small
OpenVPN profiles, especially certs are too small, which causing unable to establish connection from modern Linux operating systems, like RHEL9 or Fedora 39.
Error is specifically:
OpenSSL: error:0A00018F:SSL routines::ee key too small:
So, is there a way, to customize the size of pem key during generating, or any settings which could be set in .openvpn file?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Sunshine Actually, I have discpvered, there exists two workarounds:
1. sudo update-crypto-policies LEGACY --> this is really not twhe way to do it, as it degrading the crypto policies system wide.
2. adding tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA to the generated .ovpn file and then importing to settings
The second option is preffered, as this way you are not degrading crypto policies system wide
Would be great to have this documented somewhere, or as I mentioned, increase the length of key by firmware of router
- Copy Link
- Report Inappropriate Content
Thank you both for following up on this thread.
If both of your iOS devices fail to connect to the OpenVPN Server of the TP-Link router, please try modifying the settings on the OpenVPN Client app as follows, then let me know if it works:
Open the OpenVPN Connect client > Click the three-line symbol in the upper left corner > Settings > Slide to the bottom to find the Advanced Settings > Set Security Level to Legacy
- Copy Link
- Report Inappropriate Content
Hi, currently there is no method to customize it on the OpenVPN Server settings or .ovpn file of the router, you could try to change related settings on the Linux OpenVPN Client.
At the same time, we will record this feedback and report to senior engineer for evaluation.
- Copy Link
- Report Inappropriate Content
@Sunshine Actually, I have discpvered, there exists two workarounds:
1. sudo update-crypto-policies LEGACY --> this is really not twhe way to do it, as it degrading the crypto policies system wide.
2. adding tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA to the generated .ovpn file and then importing to settings
The second option is preffered, as this way you are not degrading crypto policies system wide
Would be great to have this documented somewhere, or as I mentioned, increase the length of key by firmware of router
- Copy Link
- Report Inappropriate Content
Thank you very much for the feedback, we've forwarded your workarounds and also suggestion to our senior engineers.
- Copy Link
- Report Inappropriate Content
so I second this issue. just started using open vpn on omada, newest version. now open vpn client will say ee key too small
tried the workaround above, but didnt work for me. perhaps im not sure where to put the tls ciper text on the opvn doc?
- Copy Link
- Report Inappropriate Content
so I second this issue. just started using open vpn on omada, newest version. now open vpn client will say ee key too small, after it worked for an hour or so?
tried the workaround above, but didnt work for me. perhaps im not sure where to put the tls ciper text on the opvn doc? i removed the original cipher and put in the one above, didnt work. what am i doing wrong>
- Copy Link
- Report Inappropriate Content
so to add more context
within the ios OpenVPN app, i changed the "advanced settings" from "preferred" to "Legacy" security standards, which is i suppose a key size that works with omada... however, the app prefers to use "preferred" settings, if you do this, open vpn will throw the ee key error.
as others have said, please update key size within the open vpn generated config file!
thank you!
- Copy Link
- Report Inappropriate Content
@TheYam I have added that after cypher, in the beginning of the ovpn file. Well it works for me, on Fedora 39 linux. Omada would be different. Worth to search how to workaround this somewhere else.
- Copy Link
- Report Inappropriate Content
I am coming from this post [https://community.tp-link.com/en/home/forum/topic/660708?replyId=1338512].
I have tried adding the line
tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA
to my .ovpn file.
First I tried putting it before the
cipher AES-128-CBC
line, then I tried putting it after that line, then I tried with only the tls line.
All of these resulted in the same error message appearing, saying that my key is too small.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Callum_1 it depends on Linux Distro you have. Also, yes, it really depends maybe also on ddns, as I do not have it, I am using TP-Link as a main gateway.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 4
Views: 6269
Replies: 21