Difference between revisions of "openvpn OpenSSL error digital envelope routines unsupported"

From thelinuxwiki
Jump to: navigation, search
(solution)
(versions)
 
(4 intermediate revisions by one user not shown)
Line 2: Line 2:
 
O.S. = Debian GNU/Linux 12 (bookworm)
 
O.S. = Debian GNU/Linux 12 (bookworm)
 
<br>openssl = 3.0.11
 
<br>openssl = 3.0.11
<br>openvpn = 2.5.0
+
<br>openvpn = 2.5.0 & 2.5.8 solution tested successfully
 +
<br> openvpn 2.6.3 solution test failed
  
 
==problem description==
 
==problem description==
Line 40: Line 41:
 
  default = default_sect
 
  default = default_sect
 
  legacy = legacy_sect
 
  legacy = legacy_sect
  <br>
+
  <br>[default_sect]
[default_sect]
+
 
  activate = 1
 
  activate = 1
  <br>
+
  <br>[legacy_sect]
[legacy_sect]
+
 
  activate = 1
 
  activate = 1
  
Line 62: Line 61:
 
retry vpn connection.  
 
retry vpn connection.  
  
NOTE... at some verion of openvpn it seems to have dropped the ablity to use bf-cbc at all. this solution was tested with openvpn 2.5.0 which was compiled from source. it didn't work with openvpn 2.6.3.
 
  
 +
 +
==links==
 +
[https://myrtana.sk/articles/howto-activate-legacy-provider-in-openssl-3 HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)]
 
[[category:openvpn]]
 
[[category:openvpn]]
 
[[category:openssl]]
 
[[category:openssl]]

Latest revision as of 13:59, 1 April 2024

Contents

versions

O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0 & 2.5.8 solution tested successfully
openvpn 2.6.3 solution test failed

problem description

unable to connect to a VERY old openvpn server.

old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...

MinProtocol = TLSv1.0

errors

client openvpn messages...

2024-03-28 22:49:56 Using peer cipher 'BF-CBC'
2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported
2024-03-28 22:49:56 EVP cipher init #1
2024-03-28 22:49:56 Exiting due to fatal error

root cause

the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.

verifying bf-cbc is in the supported ciphers of current openssl

$ openssl enc -ciphers | grep -i bf-cbc
-bf                        -bf-cbc                    -bf-cfb

list loaded openssl providers

$ openssl list -providers
Providers:
 default
   name: OpenSSL Default Provider
   version: 3.0.11
   status: active

solution

enable the legacy openssl provider

uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect] activate = 1
[legacy_sect] activate = 1

verify the above lines are working correctly. nothing needs to be "restarted".

$ openssl list -providers
Providers:
 default
   name: OpenSSL Default Provider
   version: 3.0.11
   status: active
 legacy
   name: OpenSSL Legacy Provider
   version: 3.0.11
   status: active

retry vpn connection.


links

HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)