Tunnelblick Error:format error in certificate's notAfter field on macOS Mojave 10.14.4

[valent...@gmail.com]

Dear Tunnelblick Developer Team

I was currently in contact with you and this was my previous error message: 

019-05-24 10:56:17.257292 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=**, L=*, O=**, CN=****, emailAddress=**************

Now this was recommended from a developer: 

"

What this means is that while checking the VPN's certificates, OpenSSL (used by OpenVPN to deal with encryption) detected a signature that uses a "weak" algorithm. 

Please try to connect using Tunnelblick's default version of OpenVPN: "OpenVPN 2.4.7 - OpenSSL v1.0.2r). That uses the older version of OpenSSL, which may allow the "weak" (i.e., insecure) signature. If that doesn't work, you should try "OpenVPN 2.4.7 - LibreSSL 2.7.1". [1]

Revert to Tunnelblick 3.7.8, which you apparently were using successfully (and which I believe has different versions of OpenSSL).

Second, uninstalling/reinstalling Tunnelblick almost never solves a problem. Tunnelblick is self-repairing and detects and offers to fix almost all problems in an installation that it encounters. 

"

I tried to connect using Tunnelblick's default version of OpenVPN: "OpenVPN 2.4.7 - OpenSSL v1.0.2r). That uses the older version of OpenSSL, which may allow the "weak" (i.e., insecure) signature. If that doesn't work, you should try "OpenVPN 2.4.7 - LibreSSL 2.7.1".

Now the following error message shows up: 

2019-05-24 16:19:34.000000 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=**, L=**, O=***, CN=**, emailAddress=*****

2019-05-24 16:19:34.000000 OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed

2019-05-24 16:19:34.000000 TLS_ERROR: BIO read tls_read_plaintext error

2019-05-24 16:19:34.000000 TLS Error: TLS object -> incoming plaintext read error

2019-05-24 16:19:34.000000 TLS Error: TLS handshake failed

Then I tried to revert Tunnelblick to version 3.7.8.0beta1 (because there is no stable version of 3.7.8 available, otherwise I would like to kindly ask you to send me the download link). However, then this error showed up: 

2019-05-24 16:19:34.000000 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=**, L=**, O=***, CN=**, emailAddress=*****

2019-05-24 16:19:34.000000 OpenSSL: error:14007086:SSL routines:CONNECT_CR_CERT:certificate verify failed

2019-05-24 16:19:34.000000 TLS_ERROR: BIO read tls_read_plaintext error

2019-05-24 16:19:34.000000 TLS Error: TLS object -> incoming plaintext read error

2019-05-24 16:19:34.000000 TLS Error: TLS handshake failed

Which is actually the same as the error message before. Well the PREVIOUS error message: 

2019-05-24 10:56:17.257292 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=** L=***, O=***, CN=*****, emailAddress=************** 

disappeared. 

But now I have the following error message: 

2019-05-24 16:19:34.000000 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=**, L=**, O=***, CN=**, emailAddress=*****

I can imagine that this is not an easy case. 

I am looking forward for your help. 

Thank you in advance

Best regards

Valentin Hyla 

[Tunnelblick developer]

I apologize. I'm sorry this is causing you so much trouble.

First, I have restored the link to Tunnelblick 3.7.8 on our Deprecated Downloads page. It was removed in error during the process of releasing 3.7.9 on Tuesday.

So please download 3.7.8 and try that, with each of the different versions of OpenVPN and SSL.

If that doesn't help, there is still a problem with your certificates. This:

2019-05-24 16:19:34.000000 VERIFY ERROR: depth=0, error=format error in certificate's notAfter field: C=**, L=**, O=***, CN=**, emailAddress=*****

is a clue. I think it means that the certificate has expired -- that is, I think the certificate is "not good" after a certain date, and today is after that date.

To verify this, you could set the date in your computer back to the last date you successfully used the VPN and see if it works.

To fix this problem (an expired certificate), you need to contact whoever provided your VPN configuration (and certificates) and get new certificate from them. They probably will give you a new configuration file or files, but that depends on exactly how they structure their configurations.

[Tunnelblick developer]

Is your VPN provided by "VPNme"? Their certificates have expired – see https://groups.google.com/d/msg/tunnelblick-discuss/OnSqIgyJYoY/VfZLRne3BQAJ.

[valent...@gmail.com]

Dear Support Team, 

I managed to downgrade my Tunnelblick Version to 3.5 using Open VPN version 2.4.4

Then the following issue came up: "Warnin Tunnelblick can not fetch IP address (...)". 

To solve this problem I changed the setting "Set DNS/WINS" to "do not set server name" 

I could solve the error like that. 

I hope this can help someone facing the same issue. 

Thanks to the Tunnelblick Dev. Team

Best regards

[Tunnelblick developer]

(1) I assume you downgraded to 3.7.8, not 3.5 -- 3.5 is extremely old!

(2) "Solving" the original problem (a bad certificate) by downgrading to older software which doesn't check the certificate as carefully isn't a good long term solution. You're stuck using the old software forever, and if/when a security vulnerability is discovered in the old software, you'll be stuck using software with known vulnerabilities. You need to get your VPN service provider to give you certificates that work with modern software.

[Yang Kang]

I have the same issue. After search on the arch wiki,  i got the key config: tls-cipher=DEFAULT:@SECLEVEL=0 .

Add the config: cipher "DEFAULT:@SECLEVEL=0" in you ovpn config file, then you can connect to your old version openvpn server.

[Tunnelblick developer]

Yes, but, as a post in the arch wiki says, "Please note that this is a quick and dirty workaround with several security implications."