No more connection since last update

Got a problem with Viscosity or need help? Ask here!

MorphoV

Posts: 3
Joined: Wed Nov 20, 2019 1:07 am

Post by MorphoV » Wed Nov 20, 2019 1:14 am
Hi,
Viscosity stopped connecting the minute I upgraded to 1.8.2.
The common OpenVPN errors page didn't help. I don't have time for this anyway.

How can I just roll back to 1.8.1? Can't find the link. All the previous version I found are much older.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Nov 20, 2019 10:18 am
Hi MorphoV,

More information on why you're unable to connect should be available in the OpenVPN log. Please feel free to post a copy of the log here if you'd like help taking a look.
https://www.sparklabs.com/support/kb/article/viewing-the-openvpn-log/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

MorphoV

Posts: 3
Joined: Wed Nov 20, 2019 1:07 am

Post by MorphoV » Wed Nov 20, 2019 8:39 pm
Here is a log loop:

2019-11-20 10:32:30: Viscosity Mac 1.8.2 (1516)
2019-11-20 10:32:30: Viscosity OpenVPN Engine Started
2019-11-20 10:32:30: Running on macOS 10.14.6
2019-11-20 10:32:30: ---------
2019-11-20 10:32:30: State changed to Connecting
2019-11-20 10:32:30: Checking reachability status of connection...
2019-11-20 10:32:30: Connection is reachable. Starting connection attempt.
2019-11-20 10:32:30: OpenVPN 2.4.8 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Nov 11 2019
2019-11-20 10:32:30: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
2019-11-20 10:32:30: Resolving address: fr1-ovpn-udp.pointtoserver.com
2019-11-20 10:32:30: Valid endpoint found: 172.111.219.2:53:udp
2019-11-20 10:32:30: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-11-20 10:32:30: TCP/UDP: Preserving recently used remote address: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: UDP link local: (not bound)
2019-11-20 10:32:30: UDP link remote: [AF_INET]172.111.219.2:53
2019-11-20 10:32:30: State changed to Authenticating
2019-11-20 10:32:30: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-11-20 10:32:30: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=HK, ST=HK, L=HongKong, O=PureVPN, OU=IT, CN=PureVPN, name=PureVPN, [email protected]
2019-11-20 10:32:30: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2019-11-20 10:32:30: TLS_ERROR: BIO read tls_read_plaintext error
2019-11-20 10:32:30: TLS Error: TLS object -> incoming plaintext read error
2019-11-20 10:32:30: TLS Error: TLS handshake failed
2019-11-20 10:32:30: SIGTERM received, sending exit notification to peer
2019-11-20 10:32:30: SIGTERM[soft,tls-error] received, process exiting
2019-11-20 10:32:31: State changed to Disconnected

Thanks.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Nov 20, 2019 8:54 pm
Hi MorphoV,

Thanks for posting your log. The important line is:
Code: Select all
CA signature digest algorithm too weak
This indicates that the Certificate Authority (CA) used to generate the OpenVPN server's certificate is using an insecure and out of date digest algorithm, potentially compromising the security of the VPN connection through potential MITM attacks.

The solution is to contact your VPN Provider (based on your logs this looks to be a VPN Service Provider named PureVPN): they should be able to provide you with updated configuration/s you can import into Viscosity that will hopefully connect to server/s using an updated CA.

Having a quick Internet search also seems to indicate you're not alone with running into this with PureVPN: please see the last two comments at the following link for a potential solution as well:
https://bugs.launchpad.net/openvpn/+bug/1766135

Finally, for anyone coming across this post who is unable to get updated configuration files from their VPN Provider, a temporary fix is to add "tls-cipher DEFAULT:@SECLEVEL=0" (without the quotes) as an advanced command to your connection. Again, this should just be temporary, as an insecure CA signature digest has security ramifications.
https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

MorphoV

Posts: 3
Joined: Wed Nov 20, 2019 1:07 am

Post by MorphoV » Thu Nov 21, 2019 9:31 pm
Hi James,
Thanks for your reply. The temporary unsafe fix you mention is working.

I contacted pureVPN, they said they will forward my request to update certificates, but I have very little expectation for it to happen anytime soon, to say the least.

I think I have to use their app, which I don't like, hopping it's safer than theirs OpenVPN configs.
My other option is to go with another VPN provider. Which one do you recommend?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Nov 22, 2019 3:36 pm
Which one do you recommend?
I'm afraid we steer clear of recommending any VPN Service Providers. The closest we come is a list of VPN Service Providers that have setup guides for Viscosity and claim to offer support to Viscosity users here:
https://www.sparklabs.com/support/kb/article/vpn-service-providers/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
6 posts Page 1 of 1