Difference between revisions of "openvpn OpenSSL error digital envelope routines unsupported"

From thelinuxwiki
Jump to: navigation, search
(solution)
Line 62: Line 62:
 
NOTE... at some verion of openvpn it seems to have dropped the ablity to use bf-cbc at all. this solution was tested with openvpn 2.5.0 which was compiled from source. it didn't work with openvpn 2.6.3.  
 
NOTE... at some verion of openvpn it seems to have dropped the ablity to use bf-cbc at all. this solution was tested with openvpn 2.5.0 which was compiled from source. it didn't work with openvpn 2.6.3.  
  
 +
==links==
 +
[https://myrtana.sk/articles/howto-activate-legacy-provider-in-openssl-3 HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)]
 
[[category:openvpn]]
 
[[category:openvpn]]
 
[[category:openssl]]
 
[[category:openssl]]

Revision as of 13:58, 1 April 2024

Contents

versions

O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0

problem description

unable to connect to a VERY old openvpn server.

old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...

MinProtocol = TLSv1.0

errors

client openvpn messages...

2024-03-28 22:49:56 Using peer cipher 'BF-CBC'
2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported
2024-03-28 22:49:56 EVP cipher init #1
2024-03-28 22:49:56 Exiting due to fatal error

root cause

the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.

verifying bf-cbc is in the supported ciphers of current openssl

$ openssl enc -ciphers | grep -i bf-cbc
-bf                        -bf-cbc                    -bf-cfb

list loaded openssl providers

$ openssl list -providers
Providers:
 default
   name: OpenSSL Default Provider
   version: 3.0.11
   status: active

solution

enable the legacy openssl provider

uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect] activate = 1
[legacy_sect] activate = 1

verify the above lines are working correctly. nothing needs to be "restarted".

$ openssl list -providers
Providers:
 default
   name: OpenSSL Default Provider
   version: 3.0.11
   status: active
 legacy
   name: OpenSSL Legacy Provider
   version: 3.0.11
   status: active

retry vpn connection.

NOTE... at some verion of openvpn it seems to have dropped the ablity to use bf-cbc at all. this solution was tested with openvpn 2.5.0 which was compiled from source. it didn't work with openvpn 2.6.3.

links

HOWTO ACTIVATE LEGACY PROVIDER IN OPENSSL 3 (FOR MD4 AND OTHERS)