Skip to content
https://www.sparklabs.com/support/kb/article/vpn-service-providers/
Cheers,
James
No more connection since last update
Got a problem with Viscosity or need help? Ask here!
Hi MorphoV,
More information on why you're unable to connect should be available in the OpenVPN log. Please feel free to post a copy of the log here if you'd like help taking a look.
https://www.sparklabs.com/support/kb/article/viewing-the-openvpn-log/
Cheers,
James
More information on why you're unable to connect should be available in the OpenVPN log. Please feel free to post a copy of the log here if you'd like help taking a look.
https://www.sparklabs.com/support/kb/article/viewing-the-openvpn-log/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Here is a log loop:
2019-11-20 10:32:30: Viscosity Mac 1.8.2 (1516)
2019-11-20 10:32:30: Viscosity OpenVPN Engine Started
2019-11-20 10:32:30: Running on macOS 10.14.6
2019-11-20 10:32:30: ---------
2019-11-20 10:32:30: State changed to Connecting
2019-11-20 10:32:30: Checking reachability status of connection...
2019-11-20 10:32:30: Connection is reachable. Starting connection attempt.
2019-11-20 10:32:30: OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 11 2019
2019-11-20 10:32:30: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
2019-11-20 10:32:30: Resolving address: fr1-ovpn-udp.pointtoserver.com
2019-11-20 10:32:30: Valid endpoint found: 172.111.219.2:53:udp
2019-11-20 10:32:30: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-11-20 10:32:30: TCP/UDP: Preserving recently used remote address: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: UDP link local: (not bound)
2019-11-20 10:32:30: UDP link remote: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: State changed to Authenticating
2019-11-20 10:32:30: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-11-20 10:32:30: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, [email protected]
2019-11-20 10:32:30: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2019-11-20 10:32:30: TLS_ERROR: BIO read tls_read_plaintext error
2019-11-20 10:32:30: TLS Error: TLS object -> incoming plaintext read error
2019-11-20 10:32:30: TLS Error: TLS handshake failed
2019-11-20 10:32:30: SIGTERM received, sending exit notification to peer
2019-11-20 10:32:30: SIGTERM[soft,tls-error] received, process exiting
2019-11-20 10:32:31: State changed to Disconnected
Thanks.
2019-11-20 10:32:30: Viscosity Mac 1.8.2 (1516)
2019-11-20 10:32:30: Viscosity OpenVPN Engine Started
2019-11-20 10:32:30: Running on macOS 10.14.6
2019-11-20 10:32:30: ---------
2019-11-20 10:32:30: State changed to Connecting
2019-11-20 10:32:30: Checking reachability status of connection...
2019-11-20 10:32:30: Connection is reachable. Starting connection attempt.
2019-11-20 10:32:30: OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 11 2019
2019-11-20 10:32:30: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
2019-11-20 10:32:30: Resolving address: fr1-ovpn-udp.pointtoserver.com
2019-11-20 10:32:30: Valid endpoint found: 172.111.219.2:53:udp
2019-11-20 10:32:30: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-11-20 10:32:30: TCP/UDP: Preserving recently used remote address: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: UDP link local: (not bound)
2019-11-20 10:32:30: UDP link remote: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: State changed to Authenticating
2019-11-20 10:32:30: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-11-20 10:32:30: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, [email protected]
2019-11-20 10:32:30: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2019-11-20 10:32:30: TLS_ERROR: BIO read tls_read_plaintext error
2019-11-20 10:32:30: TLS Error: TLS object -> incoming plaintext read error
2019-11-20 10:32:30: TLS Error: TLS handshake failed
2019-11-20 10:32:30: SIGTERM received, sending exit notification to peer
2019-11-20 10:32:30: SIGTERM[soft,tls-error] received, process exiting
2019-11-20 10:32:31: State changed to Disconnected
Thanks.
Hi MorphoV,
Thanks for posting your log. The important line is:
The solution is to contact your VPN Provider (based on your logs this looks to be a VPN Service Provider named PureVPN): they should be able to provide you with updated configuration/s you can import into Viscosity that will hopefully connect to server/s using an updated CA.
Having a quick Internet search also seems to indicate you're not alone with running into this with PureVPN: please see the last two comments at the following link for a potential solution as well:
https://bugs.launchpad.net/openvpn/+bug/1766135
Finally, for anyone coming across this post who is unable to get updated configuration files from their VPN Provider, a temporary fix is to add "tls-cipher DEFAULT:@SECLEVEL=0" (without the quotes) as an advanced command to your connection. Again, this should just be temporary, as an insecure CA signature digest has security ramifications.
https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/
Cheers,
James
Thanks for posting your log. The important line is:
Code: Select all
This indicates that the Certificate Authority (CA) used to generate the OpenVPN server's certificate is using an insecure and out of date digest algorithm, potentially compromising the security of the VPN connection through potential MITM attacks.CA signature digest algorithm too weak
The solution is to contact your VPN Provider (based on your logs this looks to be a VPN Service Provider named PureVPN): they should be able to provide you with updated configuration/s you can import into Viscosity that will hopefully connect to server/s using an updated CA.
Having a quick Internet search also seems to indicate you're not alone with running into this with PureVPN: please see the last two comments at the following link for a potential solution as well:
https://bugs.launchpad.net/openvpn/+bug/1766135
Finally, for anyone coming across this post who is unable to get updated configuration files from their VPN Provider, a temporary fix is to add "tls-cipher DEFAULT:@SECLEVEL=0" (without the quotes) as an advanced command to your connection. Again, this should just be temporary, as an insecure CA signature digest has security ramifications.
https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hi James,
Thanks for your reply. The temporary unsafe fix you mention is working.
I contacted pureVPN, they said they will forward my request to update certificates, but I have very little expectation for it to happen anytime soon, to say the least.
I think I have to use their app, which I don't like, hopping it's safer than theirs OpenVPN configs.
My other option is to go with another VPN provider. Which one do you recommend?
Thanks for your reply. The temporary unsafe fix you mention is working.
I contacted pureVPN, they said they will forward my request to update certificates, but I have very little expectation for it to happen anytime soon, to say the least.
I think I have to use their app, which I don't like, hopping it's safer than theirs OpenVPN configs.
My other option is to go with another VPN provider. Which one do you recommend?
Which one do you recommend?I'm afraid we steer clear of recommending any VPN Service Providers. The closest we come is a list of VPN Service Providers that have setup guides for Viscosity and claim to offer support to Viscosity users here:
https://www.sparklabs.com/support/kb/article/vpn-service-providers/
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
6 posts
Page 1 of 1