Difference between revisions of "openvpn OpenSSL error digital envelope routines unsupported"
(→solution) |
(→versions) |
||
(One intermediate revision by one user not shown) | |||
Line 2: | Line 2: | ||
O.S. = Debian GNU/Linux 12 (bookworm) | O.S. = Debian GNU/Linux 12 (bookworm) | ||
<br>openssl = 3.0.11 | <br>openssl = 3.0.11 | ||
− | <br>openvpn = 2.5.0 | + | <br>openvpn = 2.5.0 & 2.5.8 solution tested successfully |
+ | <br> openvpn 2.6.3 solution test failed | ||
==problem description== | ==problem description== | ||
Line 60: | Line 61: | ||
retry vpn connection. | retry vpn connection. | ||
− | + | ||
==links== | ==links== |
Latest revision as of 13:59, 1 April 2024
Contents |
versions
O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0 & 2.5.8 solution tested successfully
openvpn 2.6.3 solution test failed
problem description
unable to connect to a VERY old openvpn server.
old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...
MinProtocol = TLSv1.0
errors
client openvpn messages...
2024-03-28 22:49:56 Using peer cipher 'BF-CBC' 2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported 2024-03-28 22:49:56 EVP cipher init #1 2024-03-28 22:49:56 Exiting due to fatal error
root cause
the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.
verifying bf-cbc is in the supported ciphers of current openssl
$ openssl enc -ciphers | grep -i bf-cbc -bf -bf-cbc -bf-cfb
list loaded openssl providers
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active
solution
enable the legacy openssl provider
uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf
[provider_sect] default = default_sect legacy = legacy_sect
[default_sect] activate = 1
[legacy_sect] activate = 1
verify the above lines are working correctly. nothing needs to be "restarted".
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active legacy name: OpenSSL Legacy Provider version: 3.0.11 status: active
retry vpn connection.
links
HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)