Thread Info
  • State Not Answered
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 631 views
  • Users 0 members are here
Options
Suggested

SSL VPN - Cert Error

zeus1976

Hello everyone,

I am using the latest version of Sophos UTM and everything is working very well so far.

Recently I have the problem that I can no longer create an SSL VPN. I work with a SelfSigned Certificate, I have also tried to create a new one with higher encryption, but the problem persists. Do I have to buy a offiicial certificate so that I can use SSL VPN again?

Error Log can be found in the attachment.

Thanks for your help.

Best regards

Parents
  • 0

    SHA-1 is considered unsafe and depreciated.
    Re-generate the CA certificate using a more secure algorithm (at least SHA-256, maybe SHA-512 or even ECDSA.

  • 0 in reply to Alan Brand

    Hi Alan,

    Thank you for your answer.

    I'm a bit confused, maybe because I don't configure the firewall that often anymore.

    But when I go to Certificate Management on the Sophos UTM - I generate a new certificate - but I can't choose the encryption - where can I configure this?

    When I go to Remote Access - SSL VPN and Advanced, I have configured the following:
    AES-256-CBC
    SHA-2 256
    4096bit

    What am I doing wrong? Funnily enough, you are right, SHA1 is always selected, although I have adjusted this for SSL before i generate the new selfsigned certificat.

    Can you give me a hit?

    Best regards

Reply
  • 0 in reply to Alan Brand

    Hi Alan,

    Thank you for your answer.

    I'm a bit confused, maybe because I don't configure the firewall that often anymore.

    But when I go to Certificate Management on the Sophos UTM - I generate a new certificate - but I can't choose the encryption - where can I configure this?

    When I go to Remote Access - SSL VPN and Advanced, I have configured the following:
    AES-256-CBC
    SHA-2 256
    4096bit

    What am I doing wrong? Funnily enough, you are right, SHA1 is always selected, although I have adjusted this for SSL before i generate the new selfsigned certificat.

    Can you give me a hit?

    Best regards

Children
  • 0 in reply to zeus1976

    Are you using p12 files created by the UTM on your client?

    I get this on the clients (which are Fedora laptops) after recent client OS updates:

    nm-openvpn[593966]: OpenSSL: error:11800071:PKCS12 routines::mac verify failure:
    nm-openvpn[593966]: OpenSSL: error:0308010C:digital envelope routines::unsupported:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
    nm-openvpn[593966]: Decoding PKCS12 failed. Probably wrong password or unsupported/legacy encryption

    This is caused by the outdated version of OpenSSL used on the UTM. Current versions don't support RC2-40-CBC anymore.

    For me the solution was unpack the p12 files on my laptop (Fedora 39) using the openssl --legacy option, create the individual ca.cert. user.cert and user.key files, and than recreate the p12 (I prefer p12's because it keeps the users private key protected).

Unfiltered HTML