openvpn OpenSSL error digital envelope routines unsupported
From thelinuxwiki
Contents |
versions
O.S. = Debian GNU/Linux 12 (bookworm) openssl = 3.0.11 openvpn = 2.5.0
problem description
unable to connect to a VERY old openvpn server.
old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line...
MinProtocol = TLSv1.0
errors
client openvpn messages...
2024-03-28 22:49:56 Using peer cipher 'BF-CBC' 2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported 2024-03-28 22:49:56 EVP cipher init #1 2024-03-28 22:49:56 Exiting due to fatal error
root cause
the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.
verifying bf-cbc is in the supported ciphers of current openssl
$ openssl enc -ciphers | grep -i bf-cbc -bf -bf-cbc -bf-cfb
list loaded openssl providers
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active
solution
enable the legacy openssl provider
uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
verify the above lines are working correctly. nothing needs to be "restarted".
$ openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.0.11 status: active legacy name: OpenSSL Legacy Provider version: 3.0.11 status: active