Page 1 of 1

No more connection since last update

Posted: Wed Nov 20, 2019 1:14 am
by MorphoV
Hi,
Viscosity stopped connecting the minute I upgraded to 1.8.2.
The common OpenVPN errors page didn't help. I don't have time for this anyway.

How can I just roll back to 1.8.1? Can't find the link. All the previous version I found are much older.

Re: No more connection since last update

Posted: Wed Nov 20, 2019 10:18 am
by James
Hi MorphoV,

More information on why you're unable to connect should be available in the OpenVPN log. Please feel free to post a copy of the log here if you'd like help taking a look.
https://www.sparklabs.com/support/kb/article/viewing-the-openvpn-log/

Cheers,
James

Re: No more connection since last update

Posted: Wed Nov 20, 2019 8:39 pm
by MorphoV
Here is a log loop:

2019-11-20 10:32:30: Viscosity Mac 1.8.2 (1516)
2019-11-20 10:32:30: Viscosity OpenVPN Engine Started
2019-11-20 10:32:30: Running on macOS 10.14.6
2019-11-20 10:32:30: ---------
2019-11-20 10:32:30: State changed to Connecting
2019-11-20 10:32:30: Checking reachability status of connection...
2019-11-20 10:32:30: Connection is reachable. Starting connection attempt.
2019-11-20 10:32:30: OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 11 2019
2019-11-20 10:32:30: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
2019-11-20 10:32:30: Resolving address: fr1-ovpn-udp.pointtoserver.com
2019-11-20 10:32:30: Valid endpoint found: 172.111.219.2:53:udp
2019-11-20 10:32:30: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-11-20 10:32:30: TCP/UDP: Preserving recently used remote address: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: UDP link local: (not bound)
2019-11-20 10:32:30: UDP link remote: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: State changed to Authenticating
2019-11-20 10:32:30: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-11-20 10:32:30: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, [email protected]
2019-11-20 10:32:30: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2019-11-20 10:32:30: TLS_ERROR: BIO read tls_read_plaintext error
2019-11-20 10:32:30: TLS Error: TLS object -> incoming plaintext read error
2019-11-20 10:32:30: TLS Error: TLS handshake failed
2019-11-20 10:32:30: SIGTERM received, sending exit notification to peer
2019-11-20 10:32:30: SIGTERM[soft,tls-error] received, process exiting
2019-11-20 10:32:31: State changed to Disconnected

Thanks.

Re: No more connection since last update

Posted: Wed Nov 20, 2019 8:54 pm
by James
Hi MorphoV,

Thanks for posting your log. The important line is:
Code: Select all
CA signature digest algorithm too weak
This indicates that the Certificate Authority (CA) used to generate the OpenVPN server's certificate is using an insecure and out of date digest algorithm, potentially compromising the security of the VPN connection through potential MITM attacks.

The solution is to contact your VPN Provider (based on your logs this looks to be a VPN Service Provider named PureVPN): they should be able to provide you with updated configuration/s you can import into Viscosity that will hopefully connect to server/s using an updated CA.

Having a quick Internet search also seems to indicate you're not alone with running into this with PureVPN: please see the last two comments at the following link for a potential solution as well:
https://bugs.launchpad.net/openvpn/+bug/1766135

Finally, for anyone coming across this post who is unable to get updated configuration files from their VPN Provider, a temporary fix is to add "tls-cipher DEFAULT:@SECLEVEL=0" (without the quotes) as an advanced command to your connection. Again, this should just be temporary, as an insecure CA signature digest has security ramifications.
https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/

Cheers,
James

Re: No more connection since last update

Posted: Thu Nov 21, 2019 9:31 pm
by MorphoV
Hi James,
Thanks for your reply. The temporary unsafe fix you mention is working.

I contacted pureVPN, they said they will forward my request to update certificates, but I have very little expectation for it to happen anytime soon, to say the least.

I think I have to use their app, which I don't like, hopping it's safer than theirs OpenVPN configs.
My other option is to go with another VPN provider. Which one do you recommend?

Re: No more connection since last update

Posted: Fri Nov 22, 2019 3:36 pm
by James
Which one do you recommend?
I'm afraid we steer clear of recommending any VPN Service Providers. The closest we come is a list of VPN Service Providers that have setup guides for Viscosity and claim to offer support to Viscosity users here:
https://www.sparklabs.com/support/kb/article/vpn-service-providers/

Cheers,
James