Difference between revisions of "openvpn OpenSSL error digital envelope routines unsupported"
From thelinuxwiki
(Created page with "==versions== O.S. = Debian GNU/Linux 12 (bookworm) openssl = 3.0.11 openvpn = 2.5.0 ==problem description== unable to connect to a VERY old openvpn server. old tls 1.0 has a...") |
(→versions) |
||
Line 1: | Line 1: | ||
==versions== | ==versions== | ||
O.S. = Debian GNU/Linux 12 (bookworm) | O.S. = Debian GNU/Linux 12 (bookworm) | ||
− | openssl = 3.0.11 | + | <br>openssl = 3.0.11 |
− | openvpn = 2.5.0 | + | <br>openvpn = 2.5.0 |
==problem description== | ==problem description== |
Revision as of 04:31, 29 March 2024
Contents |
versions
O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0
problem description
unable to connect to a VERY old openvpn server.
old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...
MinProtocol = TLSv1.0
errors
client openvpn messages...
2024-03-28 22:49:56 Using peer cipher 'BF-CBC' 2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported 2024-03-28 22:49:56 EVP cipher init #1 2024-03-28 22:49:56 Exiting due to fatal error
root cause
the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.
verifying bf-cbc is in the supported ciphers of current openssl
$ openssl enc -ciphers | grep -i bf-cbc -bf -bf-cbc -bf-cfb
list loaded openssl providers
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active
solution
enable the legacy openssl provider
uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
verify the above lines are working correctly. nothing needs to be "restarted".
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active legacy name: OpenSSL Legacy Provider version: 3.0.11 status: active