openVPN generated incorrect certs generated, key too small

openVPN generated incorrect certs generated, key too small

openVPN generated incorrect certs generated, key too small
openVPN generated incorrect certs generated, key too small
2024-02-02 12:27:14 - last edited Tuesday
Model: Archer AX73  
Hardware Version: V2
Firmware Version: 1.0.12

OpenVPN profiles, especially certs are too small, which causing unable to establish connection from modern Linux operating systems, like RHEL9 or Fedora 39.

 

Error is specifically:

 

OpenSSL: error:0A00018F:SSL routines::ee key too small:

 

So, is there a way, to customize the size of pem key during generating, or any settings which could be set in .openvpn file?

 

 

  4      
  4      
#1
Options
2 Accepted Solutions
Re:openVPN generated incorrect certs generated, key too small-Solution
2024-02-04 05:48:51 - last edited 2024-02-04 07:53:32

  @Sunshine Actually, I have discpvered, there exists two workarounds:

1. sudo update-crypto-policies LEGACY --> this is really not twhe way to do it, as it degrading the crypto policies system wide.

2. adding tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA to the generated .ovpn file and then importing to settings

 

The second option is preffered, as this way you are not degrading crypto policies system wide

 

Would be great to have this documented somewhere, or as I mentioned, increase the length of key by firmware of router

Recommended Solution
  5  
  5  
#3
Options
Re:openVPN generated incorrect certs generated, key too small-Solution
Tuesday - last edited Tuesday

@DerekLee  @DerekLee 

 

Thank you both for following up on this thread.

 

If both of your iOS devices fail to connect to the OpenVPN Server of the TP-Link router, please try modifying the settings on the OpenVPN Client app as follows, then let me know if it works:

Open the OpenVPN Connect client > Click the three-line symbol in the upper left corner > Settings > Slide to the bottom to find the Advanced Settings > Set Security Level to Legacy

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
Recommended Solution
  0  
  0  
#20
Options
21 Reply
Re:openVPN generated incorrect certs generated, key too small
2024-02-04 03:42:55 - last edited 2024-02-04 03:43:42

  @pepicheck 

 

Hi, currently there is no method to customize it on the OpenVPN Server settings or .ovpn file of the router, you could try to change related settings on the Linux OpenVPN Client.

 

At the same time, we will record this feedback and report to senior engineer for evaluation.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer BE550 New Software Enhances System Stability and Optimizes MLO Network Stability. TL-WA3001 Supports EasyMesh, Speed Limit, Guest Network in AP Mode and/or Multi-SSID Mode. If you found the post or response helpful, please click Helpful. If an answer solves your problem, click "Recommended Solution" so that others can benefit from it.
  1  
  1  
#2
Options
Re:openVPN generated incorrect certs generated, key too small-Solution
2024-02-04 05:48:51 - last edited 2024-02-04 07:53:32

  @Sunshine Actually, I have discpvered, there exists two workarounds:

1. sudo update-crypto-policies LEGACY --> this is really not twhe way to do it, as it degrading the crypto policies system wide.

2. adding tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA to the generated .ovpn file and then importing to settings

 

The second option is preffered, as this way you are not degrading crypto policies system wide

 

Would be great to have this documented somewhere, or as I mentioned, increase the length of key by firmware of router

Recommended Solution
  5  
  5  
#3
Options
Re:openVPN generated incorrect certs generated, key too small
2024-02-04 07:54:59

  @pepicheck 

 

Thank you very much for the feedback, we've forwarded your workarounds and also suggestion to our senior engineers.

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer BE550 New Software Enhances System Stability and Optimizes MLO Network Stability. TL-WA3001 Supports EasyMesh, Speed Limit, Guest Network in AP Mode and/or Multi-SSID Mode. If you found the post or response helpful, please click Helpful. If an answer solves your problem, click "Recommended Solution" so that others can benefit from it.
  0  
  0  
#4
Options
Re:openVPN generated incorrect certs generated, key too small
2024-02-04 15:26:31

  @Sunshine

 

so I second this issue. just started using open vpn on omada, newest version. now open vpn client will say ee key too small

 

tried the workaround above, but didnt work for me. perhaps im not sure where to put the tls ciper text on the opvn doc?

  0  
  0  
#5
Options
Re:openVPN generated incorrect certs generated, key too small
2024-02-04 15:27:29

  @pepicheck 

 

so I second this issue. just started using open vpn on omada, newest version. now open vpn client will say ee key too small, after it worked for an hour or so? 

 

tried the workaround above, but didnt work for me. perhaps im not sure where to put the tls ciper text on the opvn doc? i removed the original cipher and put in the one above, didnt work. what am i doing wrong> 

  0  
  0  
#6
Options
Re:openVPN generated incorrect certs generated, key too small
2024-02-04 16:20:42

  @TheYam 

 

so to add more context

 

within the ios OpenVPN app, i changed the "advanced settings" from "preferred"  to "Legacy" security standards, which is i suppose a key size that works with omada... however, the app prefers to use "preferred" settings, if you do this, open vpn will throw the ee key error. 

 

as others have said, please update key size within the open vpn generated config file!

 

thank you! 

  1  
  1  
#7
Options
Re:openVPN generated incorrect certs generated, key too small
2024-02-04 17:13:18

  @TheYam I have added that after cypher, in the beginning of the ovpn file. Well it works for me, on Fedora 39 linux. Omada would be different. Worth to search how to workaround this somewhere else.

  0  
  0  
#8
Options
Re:openVPN generated incorrect certs generated, key too small
2024-03-28 12:23:06

  @pepicheck @Sunshine 

I am coming from this post [https://community.tp-link.com/en/home/forum/topic/660708?replyId=1338512].

 

I have tried adding the line 

tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA

to my .ovpn file.

First I tried putting it before the
cipher AES-128-CBC

line, then I tried putting it after that line, then I tried with only the tls line.

 

All of these resulted in the same error message appearing, saying that my key is too small.

  2  
  2  
#9
Options
Re:openVPN generated incorrect certs generated, key too small
2024-03-28 12:34:36
I changed the settings on the openvpn client to legacy and that got rid of the key too small error. Now I am getting an issue where the vpn will always fail to connect. I tried it with both the original 128 CBC cipher and the tls cipher and both don't work. I am using ddns. I am registered through tplink so have a *.tplinkdns.com address. In the .ovpn file I have replace the remote line with remote *.tplinkdns.com so I don't think this is the issue but though it should be mentioned.
  1  
  1  
#10
Options
Re:openVPN generated incorrect certs generated, key too small
2024-03-28 13:03:02

  @Callum_1 it depends on Linux Distro you have. Also, yes, it really depends maybe also on ddns, as I do not have it, I am using TP-Link as a main gateway.

  0  
  0  
#11
Options