openvpn OpenSSL error digital envelope routines unsupported

From thelinuxwiki
Revision as of 04:31, 29 March 2024 by Nighthawk (Talk | contribs)

Jump to: navigation, search

Contents

versions

O.S. = Debian GNU/Linux 12 (bookworm)
openssl = 3.0.11
openvpn = 2.5.0

problem description

unable to connect to a VERY old openvpn server.

old tls 1.0 has already be "enabled" in /etc/ssl/openssl.cnf by adding line... 

MinProtocol = TLSv1.0

errors

client openvpn messages... 

2024-03-28 22:49:56 Using peer cipher 'BF-CBC'
2024-03-28 22:49:56 OpenSSL: error:0308010C:digital envelope routines::unsupported
2024-03-28 22:49:56 EVP cipher init #1
2024-03-28 22:49:56 Exiting due to fatal error

root cause

the bf-cbc cipher is available via the openssl legacy provider only, but it is not loaded.

verifying bf-cbc is in the supported ciphers of current openssl 

$ openssl enc -ciphers | grep -i bf-cbc
-bf                        -bf-cbc                    -bf-cfb

list loaded openssl providers 

$ openssl list -providers
Providers:
 default
   name: OpenSSL Default Provider
   version: 3.0.11
   status: active

solution

enable the legacy openssl provider

uncomment/add the following lines in the provider section of /etc/ssl/openssl.cnf

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1
verify the above lines are working correctly. nothing needs to be "restarted". 

$ openssl list -providers
Providers:
 default
   name: OpenSSL Default Provider
   version: 3.0.11
   status: active
 legacy
   name: OpenSSL Legacy Provider
   version: 3.0.11
   status: active
Retrieved from "http://www.thelinuxwiki.com/index.php?title=openvpn_OpenSSL_error_digital_envelope_routines_unsupported&oldid=1475"