OpenVPN client problem with RSA-1024 certificates

Hi everybody

I'm a noob using OpenWRT and LEDE projects and I have a question about the openvpn client configuration using Luci.
My router is a TP-Link TL-WR841N v11 (no more than 4Mb flash) and I have installed the following release of LEDE : 17.01-SNAPSHOT r3218-bf53a83
I would like to configure an openVPN client using my 'SecurityKiss' VPN account.
All is clear for me about the configuration options but the VPN connection don't work probably because the SecurityKiss certificates are RSA-1024 certificates and mbedtls refuse those for security reasons. mbedtls requires at least RSA-2048 certificates (source :

Here is my system log part about this :

Tue Oct 10 18:11:37 2017 daemon.notice openvpn(security_kiss)[1498]: TLS: Initial packet from [AF_INET], sid=1b5928a4 8bcd9ff3
Tue Oct 10 18:11:38 2017 daemon.notice openvpn(security_kiss)[1498]: VERIFY OK: depth=1, C=IE, ST=IE, L=Dublin, O=GL, CN=GL CA
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: VERIFY ERROR: depth=0, subject=C=IE, ST=IE, L=Dublin, O=GL, CN=server: The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS_ERROR: read tls_read_plaintext error: X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS Error: TLS object -> incoming plaintext read error
Tue Oct 10 18:11:38 2017 daemon.err openvpn(security_kiss)[1498]: TLS Error: TLS handshake failed

Is there a solution to this problem ? e.g. using openvpn-openssl instead of openvpn-mbedtls ?
Thanks in advance for your help.

The openvpn-openssl is working with RSA1024.

Thanks for your reply but I have no idea how to install and use openvpn-openssl instead of openvpn-mbedtls :-/
Also, I do not know if there is enough free flash space for this on my router.
Is there a tutorial or can someone help me with a procedure ?

uninstall openvpn-mbedtls and install openvpn-openssl package

# cp -a /etc/openvpn/ /etc/openvpn.bck
# opkg update
# opkg remove --autoremove openvpn-mbedtls
# opkg install openvpn-openssl
# /etc/init.d/openvpn enable
# /etc/init.d/openvpn start
If openvpn is working then
# rm -rf /etc/openvpn.bck

Thanks for your reply. I will check this as soon as possible...

Oups, I encouter a big problem ...

ok removing openvpn-mbedtls package

root@LEDE:/etc/opkg# opkg remove --autoremove openvpn-mbedtls
Removing package openvpn-mbedtls from root...
Not deleting modified conffile /etc/config/openvpn.

but fails when trying to add openvpn-openssl package

root@LEDE:/etc/opkg# opkg install openvpn-openssl
Collected errors:

  • pkg_hash_add_from_file: Failed to open /var/opkg-lists/reboot_routing: Out of memory.

and fails too when trying to re-install openvpn-mbedtls package

root@LEDE:/etc/opkg# opkg install openvpn-mbedtls
Collected errors:

  • pkg_hash_add_from_file: Failed to open /var/opkg-lists/reboot_routing: Out of memory.

Would there be anything more I could clean before installing a new package ?

  • If your device has only 4MB flash, you need to have the packages you want in the image you flash to the device.
  • Erasing packages which are included in the flashed firmware image does not free any space in flash.
  • Erasing packages you installed after flashing the firmware image however does free the space that you just uninstalled.
1 Like

OK I understand.
And so I guess I have to reinstall the firmware if I want to recover openvpn functionality ?
And after that, Is there really a way to replace the openvpn-mbedtls package by the openvpn-openssl package in order to use a RSA-1024 certificate, considering that my router only has 4MB flash ?

-> Build your own image with just the packages included that you need. The Imagebuilder is the easiest way to achieve this.

And as a general advice regarding devices with only 4MB flash / 32MB RAM:

If possible, don't use RSA1024. It is highly likely that it is already cracked. Looking it up, I see tons of articles titled RSA 1024 cracked.

Thanks for your informations. I will try to do that.

Use RSA 2048 or even better, 4096.

I am aware that RSA-1024 is not a good encryption choice but in a first time, I do not really have the choice.
For my specific usage, it is not very critical to have strong encryption.